We're testing our in house software on a clients site who use F5 load balancer. All their traffic goes through there. They have other applications that work fine through the F5 as well. We're setting up our software to use AD authentication. If we bypass the F5, it works as it should be. If we go through the F5, we get the issue below. Clients have to go through F5, and we ask them to contact F5 for support, but they're not willing to do it since their other applications work fine with it. I need your guidance please. 'Server Error in '/Success' Application. Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. Parser Error Message: The Workstation service has not been started. Source Error: Line 3: Line 4: Line 5: Line 6: Line 7: Source File: C:\Program Files (x86)\Success Enterprise\Success\config\membership.config Line: 5 Version Information: Microsoft .NET Framework Version:2.0.50727.5472; ASP.NET Version:2.0.50727.5456 '

Can you elaborate on what the application is attempting to do and how it works? Are you simply layer 4 (IP) load balancing through the F5? Or applying any application logic? Are you terminating SSL at the F5? Is AD authentication in the form of NTLM or Kerberos?

I agree with the previous response asking for more information but I'd like to throw out I've resolved an in-house app issue on the F5 that uses AD for authentication; enable persistence, we used source-address. This is a shot from the hip, so more information is needed to accurately troubleshoot; VIP configuration, tcpdumps showing application behavior, etc, etc.

It connects to the domain controller to do ad authentication for access to the program, that's all. If we bypass F5, works fine. It will default to kerberos and fall back to NTLM if kerberoes fail. I think we're just going through the F5, no other logic involve. SSl is involve. We did a packet capture and everything shows it connecting fine. As not having the F5 in front of us, Mel, you configure those on the F5? Thanks again guys for the response.

So does AD auth go through the BIG-IP too, or does the client contact the DC directly and then pass a token/ticket to the app through the F5? If the latter, is the name that clients reference (the FQDN of the F5 VIP) a name that the DC knows? For example, Kerberos is dependent on the servicePrincipalName value. Every Kerberos-enabled service in the domain has an SPN that is registered in the KDC. When a client goes to request access to a service, it first contacts the KDC and requests a ticket for that service using the service's SPN. That SPN is mapped to an encryption key in the KDC, so a ticket is generated, wrapped in the encryption key of the service, wrapped again in the encryption key of the client, and then sent back. The client unwraps the first layer and passes the rest to the service. Because the service has a copy of the same encryption key the KDC used, it can unwrap the next layer and expose the ticket. When going through a proxy, the client will still attempt to get a ticket, but it will do so using the name it has for the proxy interface. If that VIP FQDN is not the same as the SPN of the service, then the service may get a ticket from the client (through the proxy), but it won't be able to decrypt it. If you look at a wire capture, you should see the client making a port 88 Kerberos request to the KDC (domain controller) and then shoving the encrypted ticket (base64-encoded) into the Authorization header of the next (and subsequent) HTTP requests to the service. If you see that, but the application rejects it, then there's a good bet that the wrong SPN was used.

No, if our software connects directly to DC, everything works fine. AD authentication and such. But if we go through the F5 to get to dc, that's when it fails. No passing of token.

Implementation issues with new software going through F5 load balancer

16 Replies

Andy_01_133092
Nimbostratus
Sep 06, 2013
by local, do you mean on the same server as DC or on the network?

It is on the same network.
Kevin_Stewart
Employee
Sep 06, 2013
Local to the domain, as in running on a domain member machine and has direct access to the KDC/domain controller to request Kerberos tickets - without having to go through the F5 to do that.
Andy_01_133092
Nimbostratus
Sep 06, 2013
I have to check to see if it was on the same domain, but the client is requesting it to go through the F5, we can't do direct access to DC. This is the only way according to the client, otherwise, they don't want it setup.
Kevin_Stewart
Employee
Sep 06, 2013
Just consider that I'm not talking about direct access to everything, just the DC communication. I'm assuming there's another (application) server somewhere in this equation that is the endpoint of all of this, and that the DC is only needed for authentication requests. If at all possible, it would be easiest to allow application traffic through the F5 and have the client software talk to the DC directly. If the client is a non-Windows, non-domain member piece of software that is capable of Kerberos authentication, then it's still technically possible to route this traffic through a proxy, but you still need DNS resolution, a path for port 88 Kerberos traffic, and probably a keytab or two accessible to the software.

Just out of curiosity, does the application support any other form of authentication, like Basic?
Andy_01_133092
Nimbostratus
Sep 06, 2013
yes it does, but the client is requesting AD authentication for their purpose. This issue is coming from our development team and I'm the main IT guy whom they're requesting assistance from. Yes, I've been told that that the software is install on the application server that needs to go through the F5 to get to dc (REQUIRED by client). Hopefully, with the packet capture, it'll be clearer for you guys to assist.

Thank you.
nitass
Employee
Sep 08, 2013
just wondering how virtual server is configured. are you using one virtual server (e.g. network or wildcard virtual server) to handle AD traffic and another virtual server to handle application traffic?

Forum Discussion

Implementation issues with new software going through F5 load balancer

16 Replies

Recent Discussions

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Open Redirection Mitigation

GTM Packet Capture command

How to Implement 2 Way SSL in F5 LTM

BWC iRule

Related Content

Software Upgrade

CORS implementation

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Implementing basic OAuth with F5 BIG-IP APM

API Security: How to implement API Access Control with F5