kerberos to web app
we have a web app that is currently load balanced by the F5 LTM.. a new requirement came in to use Kerberos so internal users wouldnt have to log into the web app. When they log into their workstations, they are authenticated to the domain.
I got the APM VPE pretty much figured out. The client to F5 Kerberos and AAA works. the issue i am running into is with the F5 to web sever Kerberos SSO. We are using the delegated account and we created the following: service account - host/apmsso.mydomain.com SPN associated with this account - http/serverA.mydomain.com & http/serverB.mydomain.com
A majority of the time, my users getting the username and password prompt.. and when we enter it in, we get a 401 auth error..
Today, it worked great for me, no errors but not for anyone elese.. Ran a couple of packet captures and i noticed when the servers sends back the 401, the F5 replies with the wrong SPN request.. it sends back this - serverA$ instead of http/serverA.mydomain.com.. when it works, the packet captures show the correct response..
My question is why does it work and not work.. are there any special settings on the delegation account that i need set? i only have the "password never expires" and "password never changes" set..
I have ran the "klist purge" on my machine and the webserver.. ran the "bigstart restart rba" on the F5.. all the ktutil checks are correct..
losing my mind here!!!