AD Authentication Failing in APM

Question

Following steps were taken. However, I am getting the error Common/devportal.kellogg.com_access_process:Common:eff7711c: AD module: authentication with 'testuser1' failed: Invalid format of Kerberos lifetime or clock skew string, principal name: xxxxxxx@abc.COM. Please verify Active Directory and DNS configuration. (-1765328136). I am struggling with this error for few days. However no success. Looking for answer from the experts. Please advise.

Created a node for AD Domain Controller
Created a Pool and added AD domain controller
LDAP based health check working
DNS setup working
NTP setup and working
AAA Active Directory Object created
APM policy created with Active Directory authentication.
Enabled APM Debug log.

Cheers,

Raghbir

nikoolayy1 · Answer

Did the server team check that their AD server has the same time/clock values and also their logs? The issue will not always be the F5. Also check the hardware clock on the F5 device just in case:

https://support.f5.com/csp/article/K3381

Maybe also test if with LDAP there are no issue, you may use ldapsearch or adtest tool on F5 device as maybe the F5 is not telling us what is exact issue?

If someone has better idea, please also share it.

Also have you checked everything in :

https://support.f5.com/csp/article/K24065228

https://support.f5.com/csp/article/K40119818

raghbir_sandhu · Answer

Thanks for the reply. I have check the HW and Systems time. They were different, however now HW and Systems time is with in 3 second. The other thing is, i am able to authenticate using LDAP AAA (not Active Directory). I used the same AD servers. But authentication failed with Active Directory AAA.

One question I have, Can we use the AAAA LDAP authentication for Kerberos SSO with the Kerberos SSO profile.

Any suggestion.

nikoolayy1 · Answer

Still better to ask also the server team to check their AD logs and so on. See this "Table 3.1 Client-side and server-side authentication method support matrix" on the link below:

https://support.f5.com/csp/article/K08200035#link_02

Basically on the F5 device you use for the client side authentication the apm web form (webtop) or HTTP Basic and the server side authentication (SSO) can be KERBEROS.

raghbir_sandhu · Answer

I am able to solve the issue. In the krb5.conf file, there was a extra space in the ticket_lifetime = 24 parameter setting. I removed the extra space and now it is working.

nikoolayy1 · Answer

For future issues follow this article https://support.f5.com/csp/article/K40119818 . So the SSO worked for you and the server team  couldn't help with the SAML or AD authentication ?

Forum Discussion

AD Authentication Failing in APM

Recent Discussions

did not show checkbox on chrome while access through f5

How do I create a traffic log for two different route domains?

Flip-flop load balancing

ASM Export JSON - size Limit ?

Can i apply ddos profile on virtual server using port range

Related Content

APM Sharepoint authentication

Two-Factor Authentication With Google Authenticator And APM

APM Sharepoint authentication v2

APM Clientless certificate authentication

Yubikey Authentication Modes and Azure AD integration via the APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS