F5 APM seems to be choosing NTLM over Kerberos - cache issue?
Hello DevCentral, the scenario here is that we previously setup an application to perform NTLMv2 SSO and now have a need to perform Kerberos. When we changed the Portal Access resource to use Kerberos configuration, it is still using NTLMv2 instead. The Kerberos setup on the APM is correct as it is working for other applications and on the server as it is working for internal users. Is it possible that the F5 is just caching the chosen form of authentication since it was setup to perform NTLMv2 before? I will also mention that while tracing apm logs in SSO debug mode I do not see any attempts to perform Kerberos at all.
Thanks for any help.
No, there's not any cache that works that way in APM.
You've probably forgotten to include resource-items in your Portal Access List or the items don't match the actual items being requested. APM doesn't necessarily know all of the URLs/hosts/ports/schemes that are included as part of your web app. So the resource-items are the way to define it if you want it to switch between SSOs for you.
It could also be that your resource-items overlap with another Portal Access List.