cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

AD Authentication Failing in APM

Raghbir_Sandhu
Altocumulus
Altocumulus

Following steps were taken. However, I am getting the error Common/devportal.kellogg.com_access_process:Common:eff7711c: AD module: authentication with 'testuser1' failed: Invalid format of Kerberos lifetime or clock skew string, principal name: xxxxxxx@abc.COM. Please verify Active Directory and DNS configuration. (-1765328136). I am struggling with this error for few days. However no success. Looking for answer from the experts. Please advise.

 

  1. Created a node for AD Domain Controller
  2. Created a Pool and added AD domain controller
  3. LDAP based health check working
  4. DNS setup working
  5. NTP setup and working
  6. AAA Active Directory Object created
  7. APM policy created with Active Directory authentication.
  8. Enabled APM Debug log.

 

Cheers,

Raghbir

5 REPLIES 5

Did the server team check that their AD server has the same time/clock values and also their logs? The issue will not always be the F5. Also check the hardware clock on the F5 device just in case:

 

https://support.f5.com/csp/article/K3381

 

 

 

Maybe also test if with LDAP there are no issue, you may use ldapsearch or adtest tool on F5 device as maybe the F5 is not telling us what is exact issue?

 

 

If someone has better idea, please also share it.

 

 

 

Also have you checked everything in :

 

 

https://support.f5.com/csp/article/K24065228

 

https://support.f5.com/csp/article/K40119818

Thanks for the reply. I have check the HW and Systems time. They were different, however now HW and Systems time is with in 3 second. The other thing is, i am able to authenticate using LDAP AAA (not Active Directory). I used the same AD servers. But authentication failed with Active Directory AAA.

 

One question I have, Can we use the AAAA LDAP authentication for Kerberos SSO with the Kerberos SSO profile.

 

Any suggestion.

Still better to ask also the server team to check their AD logs and so on. See this "Table 3.1 Client-side and server-side authentication method support matrix" on the link below:

 

https://support.f5.com/csp/article/K08200035#link_02

 

 

Basically on the F5 device you use for the client side authentication the apm web form (webtop) or HTTP Basic and the server side authentication (SSO) can be KERBEROS.

 

 

 

I am able to solve the issue. In the krb5.conf file, there was a extra space in the ticket_lifetime = 24 parameter setting. I removed the extra space and now it is working.

For future issues follow this article https://support.f5.com/csp/article/K40119818 . So the SSO worked for you and the server team couldn't help with the SAML or AD authentication ?