Forum Discussion
tiwang_122270
Nimbostratus
NimbostratusProblems with Kerberos and delegation account
Hi out there
I need to define a Kerberos AAA service against a MS Win2k8 AD for certificate authentication from external clients - I got stuck at a very basic level - in the F5 documentation it is wr...
Kevin_Stewart
Employee
EmployeeYou can actually use two different types of values in the APM Kerberos SSO username field, the AD account's sAMAccountName (pre-Windows 2000 name), or the userPrincipalName (logon name). Either can be used to find and reference the account for constrained delegation, and in the simplest scenarios perhaps the sAMAccountName option is easier. I tend to use the UPN more often than not though, mostly out of habit, but also because it becomes necessary in multi-domain/cross-domain/cross-forest situations where the sAMAccountName can be ambiguous.
When you use the UPN (ie. host/my-apm-sso.domain.com), that exact string value must be entered:
- In the AD account's logon name field,
- In the AD account's servicePrincipalName attribute, and
- in the APM Kerberos SSO profile username field.
