Forum Discussion

Nimbostratus

Dec 15, 2014

Solved

APM - show Kerberos Tickets

All, I configured APM with a Kerberos Constrained Delegation for Kerberos SSO. This is working so far but for debugging it would be helpfull to list all Kerberos Tickets granted. Is t...

BIG-IP Access Policy Manager (APM)

security

TMOS

TMSH

Francisco_Tresg
Jan 04, 2015
Hi René,

It seems F5 stores the TGTs for Kerberos in different cache files under the "/var/run/krb5cc/*" directory. Once there, depending on your partition set, there should be a different cache file for every user account which has been "delegated".

PATH for kerberos cache files: /var/run/krb5cc/"PartitionName"/"ADAuthServerName"/

For example, in my lab:

"[] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

Default principal: USER1@F5.LAB

Valid starting Expires Service principal

01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11

01/04/15 15:39:11 01/05/15 01:39:11 ldap/dc1.f5.lab@F5.LAB renew until 01/05/15 15:39:11

[] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

Default principal: USER2@F5.LAB

Valid starting Expires Service principal

01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11 "

Francisco_Abel_

Nimbostratus

Jan 04, 2015

Hi René,

It seems F5 stores the TGTs for Kerberos in different cache files under the "/var/run/krb5cc/*" directory. Once there, depending on your partition set, there should be a different cache file for every user account which has been "delegated".

PATH for kerberos cache files: /var/run/krb5cc/"PartitionName"/"ADAuthServerName"/

For example, in my lab:

"[] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

Default principal: USER1@F5.LAB

Valid starting Expires Service principal

01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11

01/04/15 15:39:11 01/05/15 01:39:11 ldap/dc1.f5.lab@F5.LAB renew until 01/05/15 15:39:11

[] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

Default principal: USER2@F5.LAB

Valid starting Expires Service principal

01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11 "

Rene_Bader_1308
Nimbostratus
Jan 08, 2015
Hi Francisco, That's it. Thanks. Best René

Forum Discussion

APM - show Kerberos Tickets

Recent Discussions

how can I find the software version is 32 bit or 64 bit from LTM 15.1.10.4

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

Related Content

Resolve Citrix Secure Ticket Authority (STA)

F5 APM-Kerberos -decrypt ticket

Extract Citrix Secure Ticket Authority (STA)

Kerberos SSO Clients Not Getting Ticket

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos