Forum Discussion
Make sure to troubleshoot each half of a Kerberos setup separately. Is Kerberos AAA working in this case?
I had to dig up my notes on this as it has been a while, but essentially Kerberos SSO needs the following things first:
- successful sign-on to the target application inside the domain from other systems (target app SPN must already exist and be functional),
- working forward/reverse DNS on the BIG-IP (ie using Active Directory for DNS resolution),
- Connectivity to the KDC (looks like you have this),
- NTP must be functional.
In the Delegation tab for the F5 SSO user in AD, ensure that "Trust this user for delegation to specified services only; Use any authentication procotol" is selected.
In the service account for the target application, I found that I needed to set up a delegation to the app's own SPN records with the Delegation setting set to "Trust this user for delegation to specified services only; Use Kerberos only." The F5 SSO user and the target application user should be separate.
I'm not an expert on this stuff, but it has worked for us in the past and is still in production use.
A pretty good troubleshooting resource is here by Cody Green.
Microsoft has an in-depth description of the concepts here.