Authentication Failed with NTLMv2

Question

Hello everyone,&nbsp;I am trying to activate a MFA with SAML for authentication in an external domain and then through NTLMv2 and SSO I want to authenticate against a web application but it ends up giving an error of 'Failed User Credentials'. Although the solution may seem trivial, it does not go through a failure in credentials, blocked user, admin user who makes Kerberos against a Windows AD with erroneous credentials ...I am reviewing the APM logs and activating verbose and debug but I can't see more information that can give me a track.Can you give me any idea about it?Thank you and regards,&nbsp;Kracti.

whisperer · Answer

Please take a look at the following for starters:

https://community.f5.com/t5/technical-articles/configuring-apm-client-side-ntlm-authentication/ta-p/286460

Make sure DNS is properly configure on F5 in addition to NTP for things to work properly.

Please provide some output of /var/log/apm while testing this configuration for tshoot assistance. Need help with this? Check out the following:

https://f5-agility-labs-iam.readthedocs.io/en/latest/class8/module5/module5.html

kracti · Answer

Thank you a lot, whisperer!Kevin's article on NTLM was already known to me and I have read it but the second F5 article is very interesting and extensive; i'll keep an eye on it, of course.&nbsp;Currently We already have an SSO working in production, both the NTP and DNS parts are correctly configured. On the other hand, this is the message that is constantly repeated when you try to finish the NTLM+Kerberos authentication with SSO against the final web application (the username, hostname and domain information has been modified for security &amp; privacy reasons, obviously). Also comment that a small code is executed in TCL (from the Access Policy) to delete the external domain and automatically add the SSO to the configured internal domain against which you really have to authenticate. Also, the 1st authentication with SAML works correctly:Jun 22 23:17:30 bigip1.domain.external.com warning apmd[6039]: 01490106:4: /Common/SAML_Proof:Common:8a5b93e6: AD module: authentication with 'username' failed: Preauthentication failed, principal name: username@domain.internal.com. Invalid user credentials. (-1765328360)Thanks!

Forum Discussion

Authentication Failed with NTLMv2

2 Replies

Recent Discussions

Reliable resources for identifying IP addresses

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

iControl REST Authentication Token Management

Application Programming Interface (API) Authentication types simplified

Distributed caching of authentication requests with NGINX Ingress Controller