Forum Discussion

pspecht_152507's avatar
pspecht_152507
Icon for Nimbostratus rankNimbostratus
Mar 06, 2015

SSL VPN username case matters?

Just wondering if anyone has had this issue also.

 

I have Big-IP 4000 (11.4.1 Build 637.0 Hotfix HF3)

 

We have some users who cannot authenticate over the VPN, as they receive a username or password is incorrect mesage when they try. Session logs show Invalid user credentials.

 

In troubleshooting with F5 and Microsoft, I happen to stumble on the fact that the accounts in question were older accounts (migrated from NT4, 2000 domain) and had capital letters in the name. We were looking at SID history.

 

Example user John Smith had logon of JSmith. So I renamed the account and removed a letter from the users name, and made it all lowercase. So I changed it to jsmit, and change the password, I was able to then get the user authenticated. We then just renamed the account back to jsmith (all lowercase) and no issues since.

 

Luckily we didn't have hundreds of users like this. we had several dozen, and when we rolled out the edge client, we were able to rectify any issues quickly.

 

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    APM implements standard Kerberos for ad auth. In Kerberos, both the client principal and realm are case sensitive. It's up to the the authentication server how to deal with that, so this more of a question for Microsoft. we pass the creds along to AD however the user types them.