Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

F5 APM-Kerberos -decrypt ticket

Poseidon1974
Cirrostratus
Cirrostratus

‎10-Oct-2023 13:32

Hi ,

I am newbie on  F5 APM, I use Kerberos authentication via keytab, and I have this error message in the  SIEM logs, when user try to connect, also, the user sees a pop-up displayed to authenticate, normally, it should be transparent for the user who is already in the domain

"LOCAL kvno 24 enctype aes256-cts found in keytab but cannot decrypt ticket"

Any help ?

Thanks ,

 

Labels:
0 Kudos
13 REPLIES 13

Leslie_Hubertus
Community Manager
Community Manager

‎18-Oct-2023 11:19

Curious if @Niels_van_Sluis could answer this one? I'll poke around to see if I can find someone else just in case Niels doesn't have time.

Poseidon1974
Cirrostratus
Cirrostratus
In response to Leslie_Hubertus

‎23-Oct-2023 11:28

mybe he don't understand my issue ?

0 Kudos

Leslie_Hubertus
Community Manager
Community Manager
In response to Poseidon1974

‎23-Oct-2023 11:31

I've just sent your thread to some colleagues to try to get you the answer you need. 

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Leslie_Hubertus

‎23-Oct-2023 11:31

You need more infomations or its ok ?

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Poseidon1974

‎24-Oct-2023 00:45

Hi, 

Any update ? 

 

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Poseidon1974

‎25-Oct-2023 08:50

Hi,

still same issue .. 

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Poseidon1974

‎30-Oct-2023 05:16

Hi,

Any update ? 

Thanks ,

 

0 Kudos

Niels_van_Sluis
MVP
MVP

‎19-Oct-2023 07:40 - edited ‎19-Oct-2023 07:47

Hi, 

What instructions did you use to configure kerberos authentication? This knowlege article helps on debugging kerberos issues: 

Troubleshooting issues with BIG-IP APM Kerberos end-user logon authentication (f5.com)

Maybe one thing to check: Make sure in the account properties in AD in the tab 'Account' the account option 'This account supports Kerberos 256 bit encryption' is enabled.

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Niels_van_Sluis

‎20-Oct-2023 05:27

Hi

Thanks for this reply , we use same account ( AD) for both SPN, for one URL it's OK with AES , but NOK for seconde URL, we haven't any issue with RC4  before

regards, 

 

 

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Niels_van_Sluis

‎23-Oct-2023 11:26

Hi ,

As explained, I use a keytab file for two spns, only 1 SPN works with AES (without pop-up), however the other SPN does not (the user sees a pop-up displayed) to put his credentials n us 'have no problem with RC4 encryption.

 

 

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus

‎23-Oct-2023 11:21

Not solved

0 Kudos

Matt_Dierick
F5 Employee
F5 Employee

‎24-Oct-2023 06:38

Not sure if I can help

https://support.f5.com/csp/article/K24065228

Verifying the Kerberos encryption configuration

The encrypted type in the keytab file must support the encryption used to encrypt the Kerberos service ticket on the client system.

To view the supported encryption types in the keytab file using the BIG-IP Configuration utility, refer to Verifying the service account name configuration on the KDC and BIG-IP APM procedure in this article.
To display the encryption used to encrypt the Kerberos service ticket, use the klist command described in the Verifying the Kerberos tickets on the client device with the klist command procedure in this article.
For more information on configuring Kerberos encryption on Windows, refer to Windows Configurations for Kerberos Supported Encryption Type.

Note: This link take you to resources outside of AskF5, and it is possible that the information may be removed without our knowledge.

F5 recommends using the AES 256 bit encryption type. To configure this, you need to enable the This account supports the Kerberos AES 256 bit encryption option on the Account tab in the AD Properties and also when generating the keytab file with the ktpass command.

 

0 Kudos

Poseidon1974
Cirrostratus
Cirrostratus
In response to Matt_Dierick

‎24-Oct-2023 08:32

Hi,

Thank you for this feedback (I already knew this link), however, all the steps explanied on your link complete correctly, nevertheless, the generated keytab file only works for a single SPN, and not for the other (the user has a authentication pop-up), following that, I did a rollback to RC4,

0 Kudos
Copyright © 2023 Khoros, LLC