CRLDP Authentication : CRL lookup failed

Question

Hi F5 community,&nbsp;
I'm trying to use CRLDP Authentication on BigIP APM (12.0.0).
This is for an ActivSync access with Certification credentials (Kerberos method).
Everything works before adding CRLDP auth : Credentials are extracted from with client Certificat and used for Kerberos authentication. I have access to my emails. That part is great.&nbsp;
As far as CRLDP concerned, I followed this configuration process : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/16.print.html.
To resum, I created the CRLDP AAA server and I associated to my access policy.   &nbsp;
And it's not working : reason 'No valid host found' CRL lookup failed for LDAP url.
And I'm not surprised because I know that a user account is required to access my LDAP.
Thing is I don't know how or where to configure it.&nbsp;
Somebody's got a clue ?&nbsp;
Cheers,
Julien&nbsp;

kevin_stewart · Answer

The error you're getting is most likely not because of authentication. Do your client certificates have a CRLDP x.509 extension in them? And if so do they point to the correct URL? APM has supported HTTP-based CRLDP for a few versions now and frankly that's the better and simpler way to go if you can do it.&nbsp;
As for requiring authenticated LDAP, it generally doesn't make sense to do that for CRLDP (or any revocation data) resources. While it technically can be done (adding bind information to an LDAP request) via iRules and some magical VIP targeting, it isn't natively supported in the config.&nbsp;

jlemoal · Answer

Hi Kevin,
Thanks for the answer.&nbsp;
Yes my client certificates have CRLDP x.509 extension and it's pointing to the correct url.
But I understand this isn't maybe the easiest (smartest?) way to do it.&nbsp;
I'll take your advice with HTTP-based CRLDP method, I'll try it.
And I'll get back to this article if needed.&nbsp;

jlemoal · Answer

Hi Kevin,
Thanks for the answer.&nbsp;
Yes my client certificates have CRLDP x.509 extension and it's pointing to the correct url.
But I understand this isn't maybe the easiest (smartest?) way to do it.&nbsp;
I'll take your advice with HTTP-based CRLDP method, I'll try it.
And I'll get back to this article if needed.&nbsp;

Forum Discussion

CRLDP Authentication : CRL lookup failed

3 Replies

Recent Discussions

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

Related Content

HTTP error 503, DNS lookup failed

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

SNI Routing with DNS Lookup

Doing mTLS Authentication per URL

Irule Table lookup