Forum Discussion
We were able to figure it out. We had to add the "host/apmkerb.svc" as an SPN for apmkerb.svc even though it got a TGT for host/apmkerb.svc@TEST.DOMAIN.COM when it tried to fetch the S4U ticket it first sent a TGS to the domain with that Sname. A packet capture on the DC revealed it and it is now fetching the S4U ticket correctly.
- RecontuerSG_258Dec 15, 2016Historic F5 Account
Hello. I have met with this issue instead
Kerberos: can't get S4U2Self ticket for user davis@GTSL.COM - Matching credential not found
Any idea?
Thanks!
- Dec 15, 2016
Does the user davis exists in your kerberos database?? (Kerberos needs the sAMAccountName.
Cheers,
Kees
- RecontuerSG_258Dec 19, 2016Historic F5 Account
Thank you for responding, Kees. Is the Kerberos database same as Active Directory database? Is a keytab file required? The Kerberos-F5 guide I am reading did not mention about keytab file and I am using 12.1.1 version of LTM. "davis" is part of Active Directory..
- Dec 19, 2016
Hi,
If your using AD then the AD and kerberos database are the same. Keytab file is not needed when doing SSO.
Is the password of your service account correct?
Cheers,
Kees