Forum Discussion
NimbostratusHTTP 401 Response - Missing Split domain from full username - V13.1.1.4
Hi there F5 community,
I'm struggling with an authentication error. Currently I'm using a logon page with the option "Split domain from full username" and it's working, for another scenario, I need to use a HTTP 401 Response, but I don't have that option and AD auth is trying to contruct the user and fails:
AD module: authentication with '<domain>\\<username>@<fqdn domain>' failed: Client '<domain\\<username>\@<fqdn domain>@<fqdn domain>' not found in Kerberos database, principal name: <domain\\<username>\@<fqdn domain>@<fqdn domain>. Please verify Active Directory and DNS configuration. (-1765328378)
I have a multi domain environment, the AD Auth is configured wih Cross Domain Support enabled and Trusted Domains. There is any way to workaround this or set the split using variables in order to successfully authenticate? Thanks in advance.
Regards,
Christian
- boneyard
MVP
you can always do the splitting yourself via the APM Visual Policy Editor
an awesome introduction can be found here:
https://f5-agility-labs-iam.readthedocs.io/en/latest/class8/module4/module4.html
specially about splitting with VPE can be found here:
https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107
Christian_NishiThanks a lot! I'm doing some test right now, do you know the variable that AD Auth consume to perform the authentication?
- boneyard
session.logon.last.username- Christian_Nishi
I tried with several combinations, but still no luck
session.logon.last.username and session.logon.last.logonname are using the right user (Domain\User)
Looking on the APM log, I see:
Username 'mydomain\myuser'
AD module: authentication with 'mydomain\\myuser@trusteddomain' failed: Client 'mydomain\\myuser\@trustedomain@trusteddomain' not found in Kerberos database, principal name: mydomain\myuser@trustedomain. Please verify Active Directory and DNS configuration. (-1765328378)
I have a multidomain environment, AD auth is configured with Trusted Domains and looks like is using the default domain to complete the user name. Can't find a way to use the last.logonname or last.username agains the AD Auth...
Dave_WEmployee
Hello Christian,
- Since this multidomain with cross domain enabled do the 2 domains have 2 way Transitive trust?
- Are saying that the username sent to the second domain is Domain_2\username?
