Forum Discussion

dp_119903

Cirrostratus

Sep 15, 2015

Non local kerberos realm

I have kerberos for server-side (SSO) working just fine. My kerberos sso config looks like this: username source: session.sso.token.last.username username realm source: session.logon.last.domain...

BIG-IP Access Policy Manager (APM)

security

Kevin_Stewart

Employee

Sep 29, 2015

For SSO you don't specifically need to modify the /etc/krb5.conf, except for setting dns_lookup_kdc to true. The most important thing is that APM can resolve the KDCs of all of the domains.

With the proper trusts in place, if from the command line you can nslookup/dig the the domain names and return the KDCs, then:

a. Set APM SSO logging to debug and reply back here with that log

b. Capture the Kerberos traffic between APM and the KDC, either directly with Wireshark on the KDC or with tcpdump and import into Wireshark.

tcpdump -lnni 0.0 -Xs0 -w [write to file] port 88 [and any other filters]

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Non local kerberos realm

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

Can F5 restrict the file types transferred via FTP?

LTM issue Openning new web browser tab

SSO login for APM Profiles

SFP Port LEDs Blinking Yellow

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Living on the AWS Edge - Local Zones

Kerberos is Easy - Part 2

APM Cookbook: Single Sign On (SSO) using Kerberos

Verifying Local Traffic Policy and iRule Precedence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS