I am trying to activate a MFA with SAML for authentication in an external domain and then through NTLMv2 and SSO I want to authenticate against a web application but it ends up giving an error of 'Failed User Credentials'. Although the solution may seem trivial, it does not go through a failure in credentials, blocked user, admin user who makes Kerberos against a Windows AD with erroneous credentials ...
I am reviewing the APM logs and activating verbose and debug but I can't see more information that can give me a track.
Can you give me any idea about it?
Thank you and regards,
Please take a look at the following for starters:
Make sure DNS is properly configure on F5 in addition to NTP for things to work properly.
Please provide some output of /var/log/apm while testing this configuration for tshoot assistance. Need help with this? Check out the following:
Thank you a lot, whisperer!
Kevin's article on NTLM was already known to me and I have read it but the second F5 article is very interesting and extensive; i'll keep an eye on it, of course. Currently We already have an SSO working in production, both the NTP and DNS parts are correctly configured. On the other hand, this is the message that is constantly repeated when you try to finish the NTLM+Kerberos authentication with SSO against the final web application (the username, hostname and domain information has been modified for security & privacy reasons, obviously). Also comment that a small code is executed in TCL (from the Access Policy) to delete the external domain and automatically add the SSO to the configured internal domain against which you really have to authenticate. Also, the 1st authentication with SAML works correctly:
Jun 22 23:17:30 bigip1.domain.external.com warning apmd: 01490106:4: /Common/SAML_Proof:Common:8a5b93e6: AD module: authentication with 'username' failed: Preauthentication failed, principal name: firstname.lastname@example.org. Invalid user credentials. (-1765328360)