APM Redirecting to my.policy and Kerberos Authentication Failing

Question

Hello All really need some help with setting up an APM profile to authenticate Kerberos users for AD. The F5 LTM BIG-IP 7000 Version 12.0.0 Build 0.0 606 Final
I have a VIP address on aa.bb.71.151 on TCP Port 8080
The VIP uses a dedicated SNAT Pool address cc.dd.72.4 for return traffic and the health monitors are simply doing a health check against with a GET request to a URL  and  and Request with a receive string WSUP which passes the health monitors to 6 proxy servers in the pool.
The VIP has been set up as an explicit forwarding proxy VIP I believe the LTM set up for this is fine as connectivity has been proven from the VIP to the pool members. For the APM configuration i have used the following resources to build the APM policy 
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-6-0/9.html
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-5-0/8.html
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-6-0/5.html
https://devcentral.f5.com/questions/kerberos-and-ntlm-authentication-using-apm&nbsp;
So the APM policy is defined as such
&nbsp;
I have then requested a SPNUSR account as a test and ran the following command on CLI of the LTM
klist -ke WRFILE:/config/filestore/files_d/Common_d/kerberos_keytab_file_d/:Common\SVC_APM_USer_key_file_75902_1&nbsp;
I then ran the Kinit command using the SPNUSR Accounts credentials
kinit HTTP/SVC_APM_USer.Live.Internal@Live.Internal&nbsp;
I also ran a TCPDUMP at this time and can see that a connection is being made and Kerberos traffic is also occuring but the kerberos authenication is not occuring and also when an internal user browses to any of the URL they are immediately redirected to the my.policy page with no further progress?
I would appreciate some Tips and Pointers as to where to start t-shooting this scenario? I have opened a TAC case with F5 and this was forwareded to their professional services team who quoted us a years salary for 2 days consultation? I want to avoid the cost by any means necessary so please help me!&nbsp;

stanislas_piro2 · Answer

Hi,
If  understand, SPNUSR user is defined with servicePrincipalName HTTP/SVC_APM_USer.Live.Internal@Live.Internal
Did you configure DNS PTR record of your virtual server IP address with value SVC_APM_USer.Live.Internal
Are F5 appliances configured with NTP on AD (or same NTP server than AD)?

Forum Discussion

APM Redirecting to my.policy and Kerberos Authentication Failing

1 Reply

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller

Application Programming Interface (API) Authentication types simplified

iControl REST Authentication Token Management