Bug ID 668532: Cached stale Kerberos tickets can cause auth failures.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jun 09, 2017
Severity: 3-Major

Symptoms

After an upgrade, an attempt is made to update/renew an expired Kerberos ticket, and if that does not occur; it will result in stale/old Kerberos ticket causing APM end users to experience failures in authentication.

Impact

APM end users experience authentication failures and loss of connectivity.

Conditions

Kerberos tickets cannot be cleared and renewed.

Workaround

Restart Kerberos Cache.

Fix Information

A button is provided to be able to clear Kerberos cache from GUI. Similarly there is an option provided to clear cache using TMSH, using the following command: tmsh modify active-directory ad-auth-server cleanup-cache kerberos

Behavior Change