F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Oct 04, 2018

APM KCD SSO - Requesting ticket can't get forwardable tickets (-1765328163) but works eventually

I'm running into this well known KCD SSO error. I have APM performing the necessary SSO variable definitions using LDAP queries which map certificate IDs (Domain userPrincipalName) to sAMAccountNames...
application delivery
BIG-IP Access Policy Manager (APM)
action_-_322447's avatar
action_-_322447
Icon for Nimbostratus rankNimbostratus
Oct 11, 2018

Just my 2c, might not be relevant to your situation.

 

I experienced something similar when I was trying to set up an office online server and attach it to our SharePoint VIP with smart card auth. Turns out I didn't need to mess with SPNs/configure Kerberos or anything. SharePoint ACLs were handling the access to the files and the IIS site used anonymous authentication.

 

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 31, 2018

Now it's all starting to come together. ;)

 

So a few additional questions,

 

  • Is it still producing the original error, or has it changed (working after the 3rd attempt)?
  • When it works, do you actually see good APM logs to indicate it worked ("S4U == OK!")?
  • In APM-to-KDC captures, do you see any differences between the Kerberos traffic of good and bad tests?
  • Is there more than one server, and does it work consistently with one but not another?
  • Is there more than one KDC, and have you looked to see if APM is talking to more than one of them between tests?
  • Have you set the APM SSO account to use the full SPN syntax, vs. short name?
  • Have you tried the KRB5_TRACE option detailed above?
  • And just in case you've stumbled on a bug, have you opened a support case?