Forum Discussion
NimbostratusTroubleshoot NTLM SSO
Dears,
i am trying to configure NTLM SSO and it is failing. i am receiving the below errors.
i am using a variable before the SSO mapping as the application excepts authentication in this format DOMAIN/USERNAME.
session.logon.last.username = expr { [concat "domain\\[mcget {session.logon.last.username}]"] }Any help will be highly appreciated.
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: different sso config object received, name: /Common/test, method: 4
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ssoMethod: ntlmv2 usernameSource: session.sso.token.last.username passwordSource: session.sso.token.last.password ntlmdomain: domain.abc
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab04580, CLIENT: TMEVT_REQUEST
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab04580, CLIENT: TMEVT_REQUEST_DONE
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab04580, CLIENT: TMEVT_SESSION_RESULT
Oct 22 11:51:17 DRBIGIP1 info websso.2[18531]: 014d0040:6: ea38761e: Username used for SSO contains domain information. Please enable 'Split domain from full Username' option in Logon Page if domain info should be separated from username for SSO to work properly
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab04580, CLIENT: TMEVT_SESSION_RESULT
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab04580, CLIENT: TMEVT_SESSION_RESULT
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab04580, CLIENT: TMEVT_SESSION_RESULT
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab046d8, SERVER: TMEVT_REQUEST
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: ctx: 0x5ab046d8, SERVER: TMEVT_RESPONSE
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: 15 headers received
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header *[:status][401 Unauthorized] (len=16)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header *[WWW-Authenticate][Negotiate] (len=9)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [X-MS-InvokeApp][1; RequireReadOnly] (len=18)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [SPRequestGuid][b90e3a9d-a485-a0ef-fb06-db1311cfe534] (len=36)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [X-Powered-By][ASP.NET] (len=7)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [X-FRAME-OPTIONS][SAMEORIGIN] (len=10)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [MicrosoftSharePointTeamServices][15.0.0.4569] (len=11)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [SPIisLatency][0] (len=1)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [Content-Type][text/plain; charset=utf-8] (len=25)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [Content-Length][16] (len=2)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [Date][Thu, 22 Oct 2015 08:51:17 GMT] (len=29)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [request-id][b90e3a9d-a485-a0ef-fb06-db1311cfe534] (len=36)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [X-Content-Type-Options][nosniff] (len=7)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [Server][Microsoft-IIS/8.5] (len=17)
Oct 22 11:51:17 DRBIGIP1 debug websso.2[18531]: 014d0001:7: http header [SPRequestDuration][6] (len=1)
Oct 22 11:51:17 DRBIGIP1 info websso.2[18531]: 014d0014:6: ea38761e: Found HTTP 401 response for SSO configuration '/Common/test' type:'ntlmv2'`text`
8 Replies
- Kevin_Stewart
Employee
If you look at the properties of your NTLM SSO profile, you'll see two "source" variables which are the values used to perform the NTLM auth to the server. You have one for username (usually session.sso.token.last.username), and one for password (usually session.sso.token.last.password). There's also one for the input domain. If you're collecting the username and password from a login page, they'll be stored in the session.logon.last.username and session.logon.last.password variables, respectively and the password will be stored encrypted. In order to use that password in an SSO, you'll want to add an SSO Credential Mapping agent in the visual policy right before the ending Allow block which will copy both values to their respective session.sso.token.last.* variables and decrypt the password.
Ibrahim_KadiriHi Kevin,
Thanks for the input.
The NTLM profile is Configured as below,
Domain Source: session.logon.last.domain (when i see the logs under logs/apm i do not find this variable with the domain information)
NTLM Domain: domain
And the Access Policy is configured
Start --| Logon Page --| Ad AUTH --| Variable assignment --| SSO Crediential Mapping --| Allow
The Variable assigned is
session.logon.last.username = expr { [concat "domain\\[mcget {session.logon.last.username}]"] }Still the SSO is failing.
Regards.
- Kevin_Stewart
Have you tried setting the domain session variable instead of creating a new variable?
- Ibrahim_Kadiri
Yes i tried replacing the session.logon.last.domain to session.logon.actual.domain as i noticed in the logs but that did not help.
The SSO is failing and i am seeing the Logon Page Prompt.
Because on the application authentication side we need to have DOMAIN/Username.
Thanks.
- Kevin_Stewart
You shouldn't have to modify the username to add the domain. The NTLMv2 SSO should handle this for you. You need to do the following:
-
Ensure that your access policy correctly populates the session.sso.token.last.username variable with the user's userPrincipalName or sAMAccountName value. This is generally accomplished with the SSO Credential Mapping agent from some other input source like session.logon.last.username from the logon page agent.
-
Ensure that your access policy correctly populates the session.sso.token.last.password variable with the user's password. This is accomplished with the SSO Credential Mapping agent from some other encrypted source like session.logon.last.password from the logon page agent.
-
Ensure that your access policy correctly populates the session.logon.last.domain variable with the user's domain name, or statically populate the NTLM DOMAIN value in the NTLMv2 SSO profile.
You may need to test enabling and disabling the Username Conversion option in the SSO profile.
Otherwise, how would you authenticate to the server directly from a client in the domain? Are you certain that the server accepts NTLMv2?
-
- Ibrahim_Kadiri
Hi Kevin,
Thanks for your help.
For ensuring that the domain is correctly populated I will enter it statically *eg:domain* in the ntlm domain source so that it will use from the defined one.
For accessing the portal directly its integrated with our windows domain machine and the credentials are fetched from there and access is given accordingly.
Regards.
- Ibrahim_Kadiri
hi Kevin,
i am unable to see any value related to userPrincipalName or sAMAccountName in the APM logs.
Is there a way where i can fix this or make the SSO work without the values?
Regards.
- Kevin_Stewart
i am unable to see any value related to userPrincipalName or sAMAccountName in the APM logs.
You have to create one of these values. Generally speaking, the logon page is going to create the session.logon.last.username value, and the SSO Credential Mapping agent is going to dump that value into the session.sso.token.last.username variable. NTLM is a challenge response authentication protocol. The server is going to challenge the client with some piece of information, and the client (APM SSO) is going to respond to that challenge to prove knowledge of the user's password.
