APM Kerberos AAA initial configuration problems.

Question

I'm trying to set up Kerberos AAA on a server.  My browser is set up to trust the url in question (using firefox).
I can get into other sites in my trusted list via kerberos, but can't get it to work to my APM.
My AA config is pretty simple:

My Access policy is likewise simple (though with a lot of logging).  The BA part is unnecessary, but it's there anyway (things go down the negotiate path):

I do get prompted for and then send a negotiate header, but it's not my ticket (not really sure what it is).  My actual ticket is 4608 characters in a good kerberos auth.:
https://bip*******.int/my.policy

GET /my.policy HTTP/1.1
Host: bip*******.int
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LastMRH_Session=5f0a5d1d; MRHSession=b5eccc20ed079211d0f34fa05f0a5d1d
Connection: keep-alive
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

DNS is set up and resolves correctly.  Not really sure what I'm doing wrong here.
Kerberos SSO works just fine.

amolari · Answer

timestamp value in the keytab is kind of weird

Forum Discussion

APM Kerberos AAA initial configuration problems.

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)

Source_Addr Persistence Problems

Certificate Expiry Email alert configuration

Kerberos Is Easy - Part 1

relocation cpu core on vcmp host the guest configuration back to default configuration