Forum Discussion
Then right after that - it seems the the F5 then finds the newly cached ticket and processes properly. I won't post debug, but we can trace quite a few GETs with some of them showing S4U===>OK and others seeming like they have no ticket and must request one. Our SSO config is set to be pretty vanilla- send auth always 600 timeout. We are on 11.6.1 HF2 - getting ready to go to 13.1.1.
Within the SSO profile - I've defined the KDC by IP to rule out any DNS issues. This is not our primary Domain/Realm. This is a tenant Domain with the F5 fronting a single webservice. The realm and KDC options have also been defined as a separate realm within /etc/krb5.conf and of course the SPNs and the service accounts are specific to this domain logic.
I should add that the FQDN for the service SPN is not part of the back-end domain... but this shouldn't matter I don't think, as long as the service account in the application pool on IIS is the SPN holder and part of the Realm I'm operating in with my service account with delegation to that SPN.