F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Sep 15, 2015

Non local kerberos realm

I have kerberos for server-side (SSO) working just fine.   My kerberos sso config looks like this: username source: session.sso.token.last.username username realm source: session.logon.last.domain...
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 16, 2015

You should also be specifying the user's real domain in the session.logon.last.domain variable. APM Kerberos SSO won't chase Kerberos referrals so you have to tell it which domain the user belongs to. Try the short name (bob) and the real domain as SSO inputs.

 

Also if the UPN you're trying is using a domain alias (ie. doesn't exactly match the real domain name), then you MUST use the sAMAccountName (short) name.

 

Is this a FULL transitive trust, forest trust, or selective trust?