For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Sep 15, 2015

Non local kerberos realm

I have kerberos for server-side (SSO) working just fine.   My kerberos sso config looks like this: username source: session.sso.token.last.username username realm source: session.logon.last.domain...
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 29, 2015

For SSO you don't specifically need to modify the /etc/krb5.conf, except for setting dns_lookup_kdc to true. The most important thing is that APM can resolve the KDCs of all of the domains.

With the proper trusts in place, if from the command line you can nslookup/dig the the domain names and return the KDCs, then:

a. Set APM SSO logging to debug and reply back here with that log

b. Capture the Kerberos traffic between APM and the KDC, either directly with Wireshark on the KDC or with tcpdump and import into Wireshark. 

tcpdump -lnni 0.0 -Xs0 -w [write to file] port 88 [and any other filters]