Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

AD Authentication Failing in APM

Raghbir_Sandhu
Altocumulus
Altocumulus

‎30-Mar-2021 03:45

Following steps were taken. However, I am getting the error Common/devportal.kellogg.com_access_process:Common:eff7711c: AD module: authentication with 'testuser1' failed: Invalid format of Kerberos lifetime or clock skew string, principal name: xxxxxxx@abc.COM. Please verify Active Directory and DNS configuration. (-1765328136). I am struggling with this error for few days. However no success. Looking for answer from the experts. Please advise.

 

  1. Created a node for AD Domain Controller
  2. Created a Pool and added AD domain controller
  3. LDAP based health check working
  4. DNS setup working
  5. NTP setup and working
  6. AAA Active Directory Object created
  7. APM policy created with Active Directory authentication.
  8. Enabled APM Debug log.

 

Cheers,

Raghbir

Labels:
0 Kudos
5 REPLIES 5

Nikoolayy1
MVP
MVP

‎30-Mar-2021 07:24

Did the server team check that their AD server has the same time/clock values and also their logs? The issue will not always be the F5. Also check the hardware clock on the F5 device just in case:

 

https://support.f5.com/csp/article/K3381

 

 

 

Maybe also test if with LDAP there are no issue, you may use ldapsearch or adtest tool on F5 device as maybe the F5 is not telling us what is exact issue?

 

 

If someone has better idea, please also share it.

 

 

 

Also have you checked everything in :

 

 

https://support.f5.com/csp/article/K24065228

 

https://support.f5.com/csp/article/K40119818

0 Kudos

Raghbir_Sandhu
Altocumulus
Altocumulus
In response to Nikoolayy1

‎30-Mar-2021 10:05

Thanks for the reply. I have check the HW and Systems time. They were different, however now HW and Systems time is with in 3 second. The other thing is, i am able to authenticate using LDAP AAA (not Active Directory). I used the same AD servers. But authentication failed with Active Directory AAA.

 

One question I have, Can we use the AAAA LDAP authentication for Kerberos SSO with the Kerberos SSO profile.

 

Any suggestion.

0 Kudos

Nikoolayy1
MVP
MVP
In response to Raghbir_Sandhu

‎30-Mar-2021 11:47

Still better to ask also the server team to check their AD logs and so on. See this "Table 3.1 Client-side and server-side authentication method support matrix" on the link below:

 

https://support.f5.com/csp/article/K08200035#link_02

 

 

Basically on the F5 device you use for the client side authentication the apm web form (webtop) or HTTP Basic and the server side authentication (SSO) can be KERBEROS.

 

 

 

0 Kudos

Raghbir_Sandhu
Altocumulus
Altocumulus
In response to Raghbir_Sandhu

‎01-Apr-2021 13:52

I am able to solve the issue. In the krb5.conf file, there was a extra space in the ticket_lifetime = 24 parameter setting. I removed the extra space and now it is working.

0 Kudos

Nikoolayy1
MVP
MVP

‎02-Apr-2021 09:58

For future issues follow this article https://support.f5.com/csp/article/K40119818 . So the SSO worked for you and the server team couldn't help with the SAML or AD authentication ?

0 Kudos
Copyright © 2023 Khoros, LLC