Forum Discussion
pspecht_152507
Nimbostratus
NimbostratusSSL VPN username case matters?
Just wondering if anyone has had this issue also.
I have Big-IP 4000 (11.4.1 Build 637.0 Hotfix HF3)
We have some users who cannot authenticate over the VPN, as they receive a username or password is incorrect mesage when they try. Session logs show Invalid user credentials.
In troubleshooting with F5 and Microsoft, I happen to stumble on the fact that the accounts in question were older accounts (migrated from NT4, 2000 domain) and had capital letters in the name. We were looking at SID history.
Example user John Smith had logon of JSmith. So I renamed the account and removed a letter from the users name, and made it all lowercase. So I changed it to jsmit, and change the password, I was able to then get the user authenticated. We then just renamed the account back to jsmith (all lowercase) and no issues since.
Luckily we didn't have hundreds of users like this. we had several dozen, and when we rolled out the edge client, we were able to rectify any issues quickly.
APM implements standard Kerberos for ad auth. In Kerberos, both the client principal and realm are case sensitive. It's up to the the authentication server how to deal with that, so this more of a question for Microsoft. we pass the creds along to AD however the user types them.
Sam_NovakAltostratus
I made a workaround that works for me in testing: https://devcentral.f5.com/codeshare/apm-ad-authentication-case-sensitivity-workaround-1191
Update: Oh, you had a user whose backend username was capitalized already; my workaround solves a different issue where the user mistakenly enters a capitalized username which caused kerberos authentication errors, but I'll leave it here as it might still be useful to someone.
