You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -282,7 +282,7 @@ The **Application Pool tab** details the services behind a BIG-IP, represented a
282
282
283
283
2. Choose the **Load Balancing Method** as *Round Robin*
284
284
285
-
3.Update**Pool Servers.**Select an existing server node or specify an IP and port for the backend node hosting the header-based application
285
+
3.For**Pool Servers**select an existing server node or specify an IP and port for the backend node hosting the header-based application
286
286
287
287
288
288
@@ -424,33 +424,34 @@ You can navigate to **Access > Guided Configuration** and select the **small pad
424
424
425
425
At that point, changes via the wizard UI are no longer possible, but all BIG-IP objects associated with the published instance of the application will be unlocked for direct management.
426
426
427
-
[!NOTE] Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, therefore we recommend the advanced configuration method for production services.
427
+
>[!NOTE]
428
+
>Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, therefore we recommend the advanced configuration method for production services.
428
429
429
430
## Troubleshooting
430
431
431
-
You can fail to access the SHA protected application due to any number of factors, including a misconfiguration.
432
-
433
-
Consider the following points while troubleshooting any issue.
432
+
Failure to access a SHA protected application can be due to any number of factors. If troubleshooting kerberos SSO issues, be aware of the following.
434
433
435
434
* Kerberos is time sensitive, so requires that servers and clients be set to the correct time and where possible synchronized to a reliable time source
436
435
437
436
* Ensure the hostname for the domain controller and web application are resolvable in DNS
438
437
439
-
* Ensure there are no duplicate SPNs in your environment by executing the following query at the command line: setspn -q HTTP/my_target_SPN
438
+
* Ensure there are no duplicate SPNs in your AD environment by executing the following query at the command line on a domain PC: setspn -q HTTP/my_target_SPN
440
439
441
440
You can refer to our [App Proxy guidance](../app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md) to validate an IIS application is configured appropriately for KCD. F5’s article on [how the APM handles Kerberos SSO](https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/kerberos-single-sign-on-method.html) is also a valuable resource.
442
441
443
442
### Log analysis
444
443
445
-
BIG-IP logs are a great source of information for isolating all sorts of authentication & SSO issues. When troubleshooting you should increase the log verbosity level.
444
+
BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.
2. Select the row for your published application, then **Edit > Access System Logs**
450
449
451
450
3. Select **Debug** from the SSO list, and then select **OK**.
452
451
453
-
Then reproduce your issue before looking at the logs but remember to switch this back when finished. If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, it’s possible the issue relates to SSO from Azure AD to the BIG-IP.
452
+
Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.
453
+
454
+
If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, it’s possible the issue relates to SSO from Azure AD to the BIG-IP.
454
455
455
456
1. Navigate to **Access > Overview > Access reports**
456
457
@@ -460,6 +461,6 @@ If you don’t see a BIG-IP error page, then the issue is probably more related
460
461
461
462
1. Navigate to **Access Policy > Overview > Active Sessions**
462
463
463
-
2. Select the link for your active session. The **View Variables** link in this location may also help determine root cause KCD issues, particularly if the BIG-IP APM fails to obtain the right user and domain identifiers.
464
+
2. Select the link for your active session. The **View Variables** link in this location may also help determine root cause KCD issues, particularly if the BIG-IP APM fails to obtain the right user and domain identifiers from session variables.
464
465
465
466
See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.
0 commit comments