Problems with Kerberos and delegation account

You can actually use two different types of values in the APM Kerberos SSO username field, the AD account's sAMAccountName (pre-Windows 2000 name), or the userPrincipalName (logon name). Either can be used to find and reference the account for constrained delegation, and in the simplest scenarios perhaps the sAMAccountName option is easier. I tend to use the UPN more often than not though, mostly out of habit, but also because it becomes necessary in multi-domain/cross-domain/cross-forest situations where the sAMAccountName can be ambiguous.

 

When you use the UPN (ie. host/my-apm-sso.domain.com), that exact string value must be entered:

 

1. In the AD account's logon name field,
2. In the AD account's servicePrincipalName attribute, and
3. in the APM Kerberos SSO profile username field.

hi again yes - it is just a bit confusing if you look at the guide here: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-1-0/3.html

 

where f.ex these notes gives me the impression that the f5-apm module will do some string operations on the user-account to f.ex identify services or realm from it:

 

Open the Active Directory Users and Computers administrative tool and create a new user account. The account name must be in this format, host/name.domain, where host is a literal string, name is any arbitrary name, and domain is the DNS FQDN for that realm. Here is an example, host/apm.example.com.

 

anyway - seems to be working also with a not-so-complex string for that user-account.

 

thanks for the help