Cross Domain / Cross Forest Kerberos SSO

Question

Does anyone have a how to or gotcha's when deploying cross domain or cross forest Kerberos SSO?  I am currently working on a how to but curious if anyone has anything already and would like to share their own lessons learned.  Thanks!&nbsp;
Below are the known requirements as stated by Kevin Stewart.&nbsp;
Cross-domain/cross-forest Kerberos SSO requires that:&nbsp;
Both domains/forests must have a full two-way transitive trust for Constrained Delegation to work.The APM Kerberos SSO AD service account MUST be in the same domain as the web server. Users can be anywhere.The F5 must be able to resolve and communicate with both domains/forest KDCs. For multi-domain, it's usually easiest to point DNS at the global catalog server.

steve_lyons · Answer

More requirements.&nbsp;
The delegation account must be in service principal name (SPN) format “host/name”. In the active directory, the delegation account must use this SPN value for both its servicePrincipalName and userPrincipalName attributes. This same SPN value must also be used in the Account Name field in the Kerberos SSO config. Kerberos only mode enables the “Kerberos Protocol Transition” protocol option, which is required for APM Kerberos SSO to work.

steve_lyons · Answer

If you receive the following error, "KRB ERROR : KRB5KRB_ERR_RESPONSE_TOO_BIG" it is likely Kerberos communication is occurring over UDP. Validate there is a TCP SRV record for Kerberos and attempt authentication again.

Forum Discussion

Cross Domain / Cross Forest Kerberos SSO

2 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Enriching AFM with public domain Threat Intelligence

domain blocking

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1