Forum Discussion
NimbostratusAPM is not forwarding authentication token to ADFS
Hello experts,
we configured ADFS on F5, in deployment guide, the name is Securing AD FS with the BIG-IP APM. Customer had another demmand, to authenticat with UPN only, not with SAMACCOUNTNAME. So I changed AD authentication to LDAP. User is able to authenticate via APM, but authentication token is not forwarded to ADFS. ADFS then see user as not authenticated and is not showing correct web page. I think, that problem is somewhere in policy editor, but not sure where. Could you please advice?
In LDAP search filter, I setup: UserPrincipalName=%{session.logon.last.username}, in SSO credentials mapping, we have: SSO Token Username - Username from Logon Page, SSO Token Password - Password from Logon Page.
Thank you for help
Roman
6 Replies
Since the LDAP auth applies only to the Access Policy, it has no bearing on the backend server. It sounds to me like your problem is likely in the SSO.
You didn't say what type of SSO you are using, but if it is expecting the samaccountname and you are sending the UPN and they are different, it's obviously going to fail, right?
BigFootYes, I am using NTLMv1, sorry forgot to add here. and setting is default.Just domain is different. According to application team, they cannot see any authentication attemp on ADFS- Well, a packet capture and websso logs (potentially debug) will tell you for sure. NTLM's just a http header. But it seems as a bare minimum you have to fix your SSO credential assign to be valid.
- BigFootIt takes some time, but I did packet capture, decrypt traffic, but it seems that user's credentials are not added to the NTLM header, so they are not passed to ADFS. Does anybody know please, how the correct setup should looks like for ADFS with authentication based on UPN and not SamAccountName?
Stanislas_Piro2Cumulonimbus
Hi,
If you configured SSO with Kerberos, requirements are:
- SSO username must be the sAMAccountName user attribute
- session.logon.last.domain must be configured with domain FQDN
to authenticate with UPN with AD Auth, you can configure a AD query first with:
- UserPrincipalName=%{session.logon.last.username}
-
attributes :
- samaccountname
- memberof
Then Configure a variable assign to :
- assign session.logon.last.username with AD attribute sAMAccountName.
- assign session.logon.last.domain with variable session.ad.last.actualdomain
After this box, you can authenticate user based on the new username variable, and Kerberos is configured with expected variables.
- Stanislas_Piro2
Hi,
The VPE can be following:
- Logon Page
-
query AD to retrieve following attributes (with filter UserPrincipalName=%{session.logon.last.username} )
- sAMAccountName
- memberOf (if you filter based on member group)
-
Variable Assign
- session.logon.last.username = AD attribute name sAMAccountName
- session.logon.last.ntdomain = Text COMPANY (static value as it is not store as AD Attribute)
- session.logon.last.krbdomain = Session Variable session.ad.last.actualdomain
- AD Auth
- SSO Credential mapping
Then in SSO, replace session.logon.last.domain with: - NTLM : session.logon.last.ntdomain - Kerberos : session.logon.last.krbdomain
You can then choose one of both SSO method.
For the Kerberos SSO, the user must be create with following parameters:
- One PTR record on PTR on IP 1.2.3.4 --> adfs.company.local
The delegation user mus be created with:
- Samaccountname: f5deleg
- UPN : F5deleg@company.local
- SPN : host/F5deleg.company.local (defined with setspn command or editing attribute in attributes tab)
- Delegation authorization: HTTP/adfs.company.local
In Kerberos SSO:
- User Realm Source - company.local
- leave username source with default value (or session.ad.last.attr.sAMAccountName)
- set domain source with session.logon.last.krbdomain (created in VPE above)
