Outlook Anywhere and NTLM authentication
Hello, I am trying to achieve Outlook Anywhere with basic-NTLM and Kerberos SSO. I followed the DG and am stucked at NTLM authentication. When I create the NTLM Machine Account the logs say that it joined the domain, then I create the NTLM Auth Configuration with my domain and DCs. After that I see this messages in the logs: nlad[11851]: 01620000:3: <0x2b3374f71700> nlclnt[12a02a8c0] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 192.168. I added some Exchange groups to the machine account and enabled delegation for http with Exchange servers. I then try to renew machine account password but I have this error: adutil[16625]: 01490274:5: (null):Common:00000000: New master key received. adutil[16625]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'EXAMPLE.AD' adutil[16625]: 01490200:3: WARNING: machine account update for 'f5apm' failed: Preauthentication failed, principal name: f5apm@EXAMPLE.AD. Invalid user credentials. (-1765328360) Then I took a look at Kerberos trafic and could see that the bigip can't get a Kerberos ticket: At this step I am not even talking about Kerberos SSO which I think has nothing to do with NTLM. I have found K33692321 but it doesn't help. I also took a look at K08915521. It says that it may be a domain name or NetBIOS name issue but I know that my domain is EXAMPLE.AD and NetBIOS EXAMPLE. Does someone already managed to make this work ? It is a standard configuration so am I missing something Windows side ? Best regards
Problem with Kerberos in iApp for Exchange 2013
Hey, I have set up an iApp for Exchange 2013 (f5.microsoft_exchange_2010_2013_cas.v1.3.0) on BIGIP 11.4.1. Now, Autodiscover won't work and to me it looks like some kerberos problem. I have reviewed the config following https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos, but instead of fetched S4U2Self ticket for user: test.user@F5.DEMO I get the following: May 26 17:52:10 F5BIGIP03 info websso.1[13873]: 014d0011:6: 1c8813d7: Websso Kerberos authentication for user 'testuser' using config '/PTA_Gruppe/PTAexchange.app/exchange_ntlm_kerberos_sso' May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0046:7: 1c8813d7: adding item to WorkQueue May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0018:7: sid:1c8813d7 ctx:0x8f9e528 server address = ::ffff:172.17.27.192 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0021:7: sid:1c8813d7 ctx:0x8f9e528 SPN = HTTP/exmbx01.domain.com@DOMAIN.COM May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0023:7: S4U ======> ctx: 1c8813d7, sid: 0x8f9e528, user: testuser@DOMAIN.COM, SPN: HTTP/exmbx01.domain.com@DOMAIN.COM May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Getting UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: fetched new TGT, total active TGTs:1 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT: client=host/bigip_ntlmuser@DOMAIN.COM server=krbtgt/DOMAIN.COM@DOMAIN.COM expiration=Tue May 27 03:52:10 2014 flags=40600000 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT expires:1401155530 CC count:0 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Initialized UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000 kcc:0x9054ae8 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: testuser@DOMAIN.COM server: HTTP/exmbx01.domain.com@DOMAIN.COM - trying to fetch May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: testuser@DOMAIN.COM - trying to fetch May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user testuser@DOMAIN.COM - Server not found in Kerberos database (-1765328377) May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0024:3: 1c8813d7: Kerberos: Failed to get ticket for user testuser@DOMAIN.COM I suppose that I have committed some really simple error. Can anyone give me a hint where I have to look? Thank you! Regards, AlexKerberos SSO without webtop
Dear Fellows, Is it possible to have a irule for kerberos SSO without webtop similar to SAML SSO without webtop. Do you have an example: SAML SSO without webtop: when ACCESS_POLICY_COMPLETED { switch -glob [ACCESS::session data get session.server.landinguri] { "/mycloudapp*" { ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/MYCLOUDAPP" } "/proofpoint*" { ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/PROOFPOINT" } "/businessolver*" { ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/BUSINESSOLVER" } }
Kerberos AAA login pop-up issue
Folks, Before posting this question I went through a bunch of posts/articles to fix my issue. Unfortunately, I had to post this anyway to find help to fix my issue! Here we go! I have a Virtual server (companyA.example.com:443) An access policy with a 401 response agent followed by Kerberos Auth agent is assigned to the VIP. Users are in domain (inside.corp) AD setup: A service account is setup on AD server (f5-service-account) Keytab: c:>ktpass -princ HTTP/companyA.example.com@INSIDE.CORP -mapuser f5-service-account@INSIDE.CORP -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass somepassword -out c:\temp\krb-sso.keytab SPN setspn -U -A HTTP/companyA.example.com f5-service-account F5 setup The keytab file is uploaded under Access->AAA->kerberos & auth realm INSIDE.CORP is used. When tested with APM in debug mode, I found below error in the logs modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 91 Msg: 8efe1717 : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure. Minor code may provide more information From Client side, SSO doesn't work and getting a browser pop-up where i can input the credentials. Entering the creds doesn't work either. APM VPE: Any help is greatly appreciated! Thanks in advance!
Problems with using Kerberos Authentication
Hi Everyone, Trying to get Kerberos Authentication to work through a APM policy. I am not trying to get SSO to work (well, not yet anyway) - just trying to get Kerberos authentication from a domain attached Windows 7 client. Have followed the documents and created a service account with appropriate settings and imported a keytab file. There is a 'HTTP 401 Response' and a 'Kerberos Auth' step in my pipeline, but it just falls straight through to 'fallback' and denies access. In the APM logs I see: Nov 7 09:48:55 auhof51 debug apd[6907]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: 850bee9c : GSS-API error gss_acquire_cred: d0000 : Unspecified GSS failure. Minor code may provide more information Nov 7 09:48:55 auhof51 debug apd[6907]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: 850bee9c : GSS-API error gss_acquire_cred: 186a4 : Is there any way to work out what the GSS-API error number 186a4 might mean? Thanks, Jason
Kerberos 401 authentication with form fallback
Hello, we are using APM for SAML authentication. Domain joined machines should authenticate transparently with Kerberos, users without the ability to use Kerberos (non domain joined, Firefox without negotiate-settings) should receive a form to login. Kerberos works fine, but users with non domain joined machines receive a browser authentication prompt and "Authentication required to access the resources.". Does anybody has set up such a scenario? Any help is appreciated.
Using F5 as a Service Provider with Okta IdP
I've read part 1 and 2 of this article for how to connect F5 as a service provider to Okta: Secure Access to Web Applications with F5 and Okta... - DevCentral However, it doesn't provide instructions for how to get theSingle sign on URLand theAudience URIfor the app, and I also can't find an article for how to connect F5 to the application to pass the header or kerberos auth to. Could someone help me? I'm basically looking for what information I'll need to retrieve and give to the owners of the systems using legacy auth in order to connect those systems to F5 to use Okta auth with them.
Client side Kerberos problem with Mac OSX 10.9 and Safari 7.0.2
Hi all, I've got a working client side SSO access policy in APM providing access to an internal intranet. It works perfectly with Windows clients (with the right browser config) and I can get it working on Chrome on our Macs, once the macs have been issued with an initial kerberos ticket for the user's AD account (our KDC is Windows AD 2003). Safari just throws up an APM error page when the user connects with it saying, "Invalid Session ID: Your session may have expired." Checking the APM log even in debug mode doesn't show anything obvious for that session, you just see a message saying the session has been deleted, no kerberos processing begins. On the client side, in a HTTP trace I see this: Request GET /my.policy HTTP/1.1 Host: www.victoria.ac.nz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive Proxy-Connection: keep-alive Cookie: LastMRH_Session=77c8fbae; MRHSession=d5087e7f0252687cc231819f77c8fbae; TIN=272000; __utma=189107500.700714022.1406696059.1406696059.1406696059.1; __utmb=189107500.3.10.1406696059; __utmc=189107500; __utmz=189107500.1406696059.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Language: en-us Referer: http://www.victoria.ac.nz/ Accept-Encoding: gzip, deflate Response HTTP/1.1 401 Unauthorized Server: Apache Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Pragma: no-cache Cache-Control: no-cache, must-revalidate Accept-Ranges: bytes Connection: close Date: Wed, 30 Jul 2014 04:54:09 GMT Content-Length: 335 WWW-Authenticate: Basic realm="staff.vuw.ac.nz" WWW-Authenticate: Negotiate Set-Cookie: LastMRH_Session=77c8fbae;path=/;secure Set-Cookie: MRHSession=ef9605c9ed0bca0206113f6077c8fbae;path=/;secure Request GET /my.policy HTTP/1.1 Host: www.victoria.ac.nz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive Authorization: Negotiate key Snipped for securityYIIHXwYGKwYBBQUCoIIHUzCCB0+gITAfBgkqhkiG9xIBAgIGBiqFcCsOAwYKKwYBBAGCNwICCqKCBygEggckYIIHIAYJKoZIhvcSAQICAQBuggcPMIIHC6ADAgEFoQMCAQ6iBwMFAAAAAACjggYGYYIGAjCCBf6gAwIBBaERGw9TVEFGRi5WVVcuQUMuTlqiJTAjoAMCAQOhHDAaGwRIVFRQGxJ3d3cudmljdG9yaWEuYWMubnqjggW7MIIFt6ADAgEXoQMCAQSiggWpBIIFpdLbJ9FpJ//Bjl+ixeKwBjDZ/1uVgsnoQr4l+kqMazjtr/AILRjfY57mL4hSHX8EWgOObQ+6NlP=******** Proxy-Connection: keep-alive Cookie: LastMRH_Session=77c8fbae; MRHSession=d5087e7f0252687cc231819f77c8fbae; TIN=272000; __utma=189107500.700714022.1406696059.1406696059.1406696059.1; __utmb=189107500.3.10.1406696059; __utmc=189107500; __utmz=189107500.1406696059.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Language: en-us Referer: http://www.victoria.ac.nz/ Accept-Encoding: gzip, deflate Response HTTP/1.0 302 Found Server: BIG-IP Connection: Close Content-Length: 0 Location: /my.logout.php3?errorcode=20 Set-Cookie: LastMRH_Session=77c8fbae;path=/;secure Set-Cookie: MRHSession=d5087e7f0252687cc231819f77c8fbae;path=/;secure So it looks like Safari is presenting its Kerb ticket, but the F5 doesn’t like it. Anyone got any clues? Thanks, GavinCan F5 APM act as a Kerberos KDC proxy (like Microsoft DirectAccess) for Zscaler ZIA?
Hello, Zscaler ZIA can user Kerberos Authentication even for Remote users (Road Warriors as they call them) but then a KDC proxy is needed like Microsoft DirectAccess to translate the HTTPS Kerberos traffic to normal TCP (like a proxy but for Kerberos) and I was wondering if F5 APM can do the same and to provide the ticket to client that then the client sends to Zscaler. All the F5 APM features seem to be related to not send the ticket directly to the client but to act as a man in the middle. https://help.zscaler.com/zia/about-kerberos-authentication https://help.zscaler.com/zia/about-kerberos-authentication#kerberos-features https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/d688ea3a-04b0-45ea-8226-82a74cb6289e
