For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Grayson_149410's avatar
Grayson_149410
Icon for Nimbostratus rankNimbostratus
Nov 25, 2014

APM - SSO Password Empty

This is going through the Edge Portal app. I have tested the process on Android and iOS and receive the same results. I get to the login page, I enter my AD credentials and then does a SSO mapping to have access to our Intranet Sharepoint page.

I have tried both NTLMv1/2 on the portal resource + Access Policy SSO/Auth section.

User logs in with their AD credentials and also does a query lookup to make sure they are in the right security group to be able to get on the portal.

All of this is working fine and I am getting passed through my access policy successfully. It keeps failing on the SSO part. I have the variables for NTLMv1/2 and SSO Credential mapping set to session.logon.last.username/password and they match.

When I open the Edge Portal application, I enter my credentials and then I get another login screen wanting credentials and won't let me through. I turned debug on for SSO and I receive the following:

Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ssoMethod: ntlmv2 usernameSource: session.logon.last.username passwordSource: session.logon.last.password ntlmdomain: abc.com
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_REQUEST
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_REQUEST_DONE
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_SESSION_RESULT
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_SESSION_RESULT
Nov 25 10:50:01 DC-LTM01 err websso.2[17219]: 014d0027:3: 539db945: Could not find SSO password, check SSO credential mapping agent setting
Nov 25 10:50:01 DC-LTM01 err websso.2[17219]: 014d0028:3: 539db945: Master Decyrpt failed for ckDecrypt: Ciphertext does not begin with master key prefix
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_SESSION_RESULT
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_SESSION_RESULT
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x93d0fb0, SERVER: TMEVT_REQUEST
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x93d0fb0, SERVER: TMEVT_RESPONSE
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: 14 headers received
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header *[:status][401 Unauthorized] (len=16)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header *[WWW-Authenticate][NTLM] (len=4)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [X-MS-InvokeApp][1; RequireReadOnly] (len=18)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [SPRequestGuid][209dcf9c-7b22-5094-e8d9-46722c6846ee] (len=36)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [MicrosoftSharePointTeamServices][15.0.0.4569] (len=11)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [X-Powered-By][ASP.NET] (len=7)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [SPIisLatency][0] (len=1)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [Content-Type][text/plain; charset=utf-8] (len=25)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [Content-Length][16] (len=2)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [Date][Tue, 25 Nov 2014 15:50:01 GMT] (len=29)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [request-id][209dcf9c-7b22-5094-e8d9-46722c6846ee] (len=36)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [X-Content-Type-Options][nosniff] (len=7)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [Server][Microsoft-IIS/8.5] (len=17)
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: http header  [SPRequestDuration][2] (len=1)
Nov 25 10:50:01 DC-LTM01 info websso.2[17219]: 014d0014:6: 539db945: Found HTTP 401 response for SSO configuration '/Common/sso_ntlmv2' type:'ntlmv2'
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: www-authenticate header: NTLM
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ntlm auth: 0, ntlm state: 0
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: Parsing request cookies.
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: Cookie header: SPUsageId=1d55d13d-1d30-4355-b401-1d55ed6318a6
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: Parsing response cookies.
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: No set-cookie headers found
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_RESPONSE
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: ctx: 0x938f7e0, CLIENT: TMEVT_RESPONSE_DONE
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: sso_disable: 0, _needAuth: 1
Nov 25 10:50:01 DC-LTM01 debug websso.2[17219]: 014d0001:7: empty password, pass through response.
BIG-IP Access Policy Manager (APM)
security

1 Reply

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Dec 01, 2014

    Any modifications done to default agent variable assignments in logon page or sso credential mapping agent?