Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

F5 APM AES256 in keytab for Kerb Auth failed

Poseidon1974
Cirrostratus
Cirrostratus

‎19-Sep-2023 13:31

Hi,,
I am a newbie on F5 apm, currently, we have to authenticate users to access applications, I use the kerberos protocol via a keytab uploder file on the F5 apm, however, want to change encryption algorithm (RC4 to AES 256), the user sees displayed an authentication pop-up, nevertheless the authentication should be transparent for the user and does not have to enter these login/PASWD (use of the keytab file), I made a clean browser cache / restart the computer but still the same problem, following that I did a rollback with the encryption parameters (RC4), of the keytab file.

BYW : i see fallback from item 'kerberos Auth' to ending Deny , on splunk log.
Do you have any ideas ?

Thanks in advance

 

Labels:
0 Kudos
5 REPLIES 5

F5_Design_Engineer
MVP
MVP

‎20-Sep-2023 21:57

Hi @Poseidon1974 ,

Please refer the following articles

https://my.f5.com/manage/s/article/K01716018#CreateKeytabKtpass

 

Impact of procedure: Using the ktpass command with certain parameters on a domain controller may modify the AD service account. F5 recommends that you perform this procedure during a scheduled maintenance window for the specific service.

Important: The following command uses AES256-SHA1 encryption. You must therefore select the This account supports Kerberos AES 256 bit encryption check box for the user you created in step 2.

Use these commands

ktpass
ktutil
rkt
wkt

K24065228: Troubleshooting issues with BIG-IP APM Kerberos end-user logon authentication
https://my.f5.com/manage/s/article/K24065228

https://my.f5.com/manage/s/article/K24065228#VerifyEncryption

K73872229: Configure BIG-IP APM KDC validation in AD authentication

https://my.f5.com/manage/s/article/K73872229

K01716018: Configuring Kerberos end-user logon authentication for multiple applications by merging keytab files

https://my.f5.com/manage/s/article/K01716018

https://my.f5.com/manage/s/article/K24065228

K17371: BIG-IP APM may fail to authenticate when Kerberos AAA servers have different keytab files
https://my.f5.com/manage/s/article/K17371

 

https://my.f5.com/manage/s/article/K000130298

https://my.f5.com/manage/s/article/K18315582

HTH

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to F5_Design_Engineer

‎21-Sep-2023 01:06

Hi,

Thanks for your reply , will check this link,

Poseidon; 

 

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Poseidon1974

‎10-Oct-2023 07:51

HI, 

i have this error  :

LOCAL kvno 23 enctype aes256-cts found in keytab but cannot decrypt ticket

Can you help ?

Thanks

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Poseidon1974

‎12-Oct-2023 11:58

Any help ?

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Poseidon1974

‎27-Nov-2023 06:37

Hi,

Any update ? 

Thanks 

0 Kudos
Copyright © 2023 Khoros, LLC