For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Oxenburger_1420's avatar
Oxenburger_1420
Icon for Nimbostratus rankNimbostratus
May 20, 2015

Multiple Domain Support not working on APM

Hello,

 

I'm having a bit of a problem with APM and cross domain support using AD authentication.

 

There are multiple AD domains in our environment and webmail is currently setup through our Test and Production LTMs using the exchange 2013 iApp (Cas.v1.3.0)

 

On the Test LTM the iApp is configured to use the production exchange (CAS Servers) and is using AD authentication for Client Logon, which is using the production AD servers.

 

There are two separate Virtual Server setup in the Test LTM through using exchange iApp wizard. The DNS names I'm using to call webmail from a browser are webmail1.domain.internal and webmail2.domain.internal

 

Active Directory test User accounts are: DOMAIN-B\tstusr1 and DOMAIN-A\tstusr2

 

The Webmail1 virtual server is setup as follows: - AAA configuration for Webmail1 is Active Directory the Domain Name is set as DOMAIN-A.INTERNAL and the AD DC Server are in that AD Domain-A. Admin name is svcXYZ with valid password - The SSO Configuration (NTLMv1) has SSO set as DOMAIN-A with Username Conversion tick box selected. - (VPE) Access Policy has Cross Domain Support enabled in AD-Auth object.

 

When Signing in with user account DOMAIN-B\tstusr1 the logon fails with the following messages found in session reports: --- AD module: authentication with 'tstusr1@DOMAIN-B' failed: Realm not local to KDC, principal name: tstusr1@DOMAIN-B@DOMAIN-A.COM. Realm not found. Please verify Domain Name configured. (-1765328316) --- AD module: krb5_get_init_creds_password(): Realm not local to KDC, principal name: tstusr1@DOMAIN-B@DOMAIN-A.COM. Realm not found. Please verify Domain Name configured. (-1765328316)

 

When signing in with the user account tstusr2 it logons successfully, which is to be expected as it's a DOMAIN-A user account.

 

So for some reason the cross domain support is not working.

 

Webmail2 virtual server is setup as follows (essentially this is the reverse setup of webmail1): - AAA configuration for Webmail2 is Active Directory the Domain Name is set as DOMAIN-B.INTERNAL and the AD DC Server are in that AD Domain-B. Admin name is svcABC with valid password - The SSO Configuration (NTLMv1) has SSO set as DOMAIN-B with Username Conversion tick box selected. - (VPE) Access Policy has Cross Domain Support enabled in AD-Auth object.

 

When signing in with user account DOMAIN-A\tstusr2 the logon is successful. When signing in with user account tstusr1 the logon is also successfull.

 

So webmail2 is providing cross domain support.

 

So for some reason cross domain logon qon't work on the webmail1 setup which is unfortunately what's needed to deploy into production. This is because production already has DOMAIN-A operational, I need to integrate users from DOMAIN-B into the environment.

 

I setup webmail2 to test the reverse and thereby hoping to nail down this issue, but since it appears to be working I'm left a bit stumped by the issue.

 

Any help would be appreciated as I'm not sure if I'm dealing with a bug on the F5 or there something missing in the F5 configuration or AD environment that would make this work.

 

Thanks,

 

David

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iApps
LTM
security

4 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    May 21, 2015

    Hi David, if APM can auth a user from DOMAIN-A via DOMAIN-B, but not the other way around, and both are set up identically in APM, that seems to point to the AD configuration.

     

    It may be helpful to set the APM policy and logging options to "debug" and then watch the output of /var/log/apm. I'd like to see if the ticket request for user B to domain A is different from user A to domain B.

     

    thanks

     

  • Oxenburger_1420's avatar
    Oxenburger_1420
    Icon for Nimbostratus rankNimbostratus
    May 22, 2015

    Hi Mike,

    With debug set on APM here are the outputs from cross domain failing on webmail1 but working on webmail2 (the reverse). I couldn't see anything that explains why the realm is unknown on webmail1 connections.

    • 1) Connection to webmail1.domain.com. using domain-b account you can see cross domain support is not working
        May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 01490023:7: c5b29dcf: AD module: ENTER Function authenticateUser
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017c:7: c5b29dcf: AD module: Domain Controller is not specified for domain 'DOMAIN-B.INTERNAL', KDCs will be discovered using DNS
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc1.domain-b.internal' to KDC list
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc2.domain-b.internal' to KDC list
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc3.domain-b.internal' to KDC list
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 01490000:7: Sys.cpp func: "getIpv6Preference()" line: 50 Msg: Prefer IPv6: false
    May 22 10:46:04 LB-APMDEV01 debug apd[32536]: 0149017b:7: c5b29dcf: AD module: User 'tstusr1@DOMAIN-B' belongs to domain 'DOMAIN-B.INTERNAL'
    May 22 10:46:22 LB-APMDEV01 err apd[32536]: 01490107:3: c5b29dcf: AD module: authentication with 'tstusr1@DOMAIN-B' failed: Realm not local to KDC, principal name: tstusr1@DOMAIN-B@DOMAIN-A.COM. Realm not found. Please verify Domain Name configured.  (-1765328316)
    May 22 10:46:22 LB-APMDEV01 debug apd[32536]: 01490111:7: c5b29dcf: AD module: krb5_get_init_creds_password(): Realm not local to KDC, principal name: tstusr1@DOMAIN-B@DOMAIN-A.COM. Realm not found. Please verify Domain Name configured. (-1765328316)
    May 22 10:46:22 LB-APMDEV01 debug apd[32536]: 01490024:7: c5b29dcf: AD module: LEAVE Function authenticateUser
    • 2) Connection to webmail2.domain.com. using domain-a account you can see cross domain support is working.
        May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017c:7: dcee4e04: AD module: Domain Controller is not specified for domain 'DOMAIN-A.COM', KDCs will be discovered using DNS
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017d:7: dcee4e04: AD module: Adding 'dc1.domain-a.com' to KDC list
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017d:7: dcee4e04: AD module: Adding 'dc2.domain-a.com' to KDC list
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017d:7: dcee4e04: AD module: Adding 'dc3.domain-a.com' to KDC list
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 01490000:7: Sys.cpp func: "getIpv6Preference()" line: 50 Msg: Prefer IPv6: false
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 01490024:7: dcee4e04: AD module: LEAVE Function authenticateUser
    May 22 10:51:49 LB-APMDEV01 info apd[32536]: 01490017:6: dcee4e04: AD agent: Auth (logon attempt:0): authenticate with 'tstusr2' successful

    Thanks,

    David

  • Oxenburger_1420's avatar
    Oxenburger_1420
    Icon for Nimbostratus rankNimbostratus
    May 22, 2015

    Hi Mike,

    I also captured some AD traffic from F5 and is showing that dc1 is unreachable.

    Pings from F5 to dc1-dc3 are showing reponses from dc2 and dc3 but not from dc1.

    If it is a reachability problem is there a way to get the F5 to only target specific KDC's in domain-b. Could this possibly be the issue.

    By that I'm refering to the message from the APM logs where it is appears to derive the KDC list using DNS discovery.

    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017c:7: c5b29dcf: AD module: Domain Controller is not specified for domain 'DOMAIN-B.INTERNAL', KDCs will be discovered using DNS
May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'svnewcastleretr.domain-b.internal' to KDC list
May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc1.domain-b.internal' to KDC list
May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc2.domain-b.internal' to KDC list
May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc3.domain-b.internal'

    Regards,

    David

  • Oxenburger_1420's avatar
    Oxenburger_1420
    Icon for Nimbostratus rankNimbostratus
    May 25, 2015

    I've finally solved the issue. I found that the first DC server found in the DNS discovered list of KDC servers performed by the F5 APM was an old server that no longer exists.

    tcpdump on the F5 showed repeated KRB5 AS-REQ from F5 to that none existent domain controller and the router local to the subnet were the DC used to reside sent ICMP host unreachable messages.

    The fix was to remove the old DNS service records _kerberos & _klist from DNS, user logons were successfull after removal.

    I'd logged a case with F5 for this problem and will try and find out why F5 APM didn't just select the next available KDC server rather than repeatedly trying the same failed DC server, you'd kinda think the list is there to provide redundancy.. isn't that the point?

    At some stage I did try to force the F5 to select a DC server by updating the krb5.conf (bigstart restart was done after each change), but this didn't work either and F5 APM continued to generate a list of KDC using DNS resolves.

    Anyway these are the config settings I tried on krb5.conf. Also, turned off DNS resolves in libdefaults as well and no luck here either.. perhaps there is more needed than this.

    [libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_realm = DOMAIN-A.INTERNAL

[realms]
DOMAIN-B.INTERNAL = {
 kdc = dc2.domain-b.internal:88
 admin_server = dc2.domain-b.internal:749
 default_domain = domain-b.internal
}

    [domain_realm] .domain-b.internal = DOMAIN-B.INTERNAL

    Cheers,

    David