NTLM Configuration error
Hi, I'm trying to configure NTLM, and for the machine account i face the following error, domain join for 'HAZA' failed: Operations error, base: CN=Computers,dc=LDAP-IBRAHIM,dc=TEST, scope: 0, filter: (objectClass=*) (1) I the below the last few packets before F5 (192.168.5.99) closes the connection with LDAP (192.168.5.155), I really don't know what i missed.....NTLM Machine Account Issues - APM
Good afternoon - I am hoping someone can point me in the right direction. I'm trying to use the iApp to deploy RDP Gateway using APM (using this template - ). Part of the config is to create a new NTLM Machine account. I had no issues creating the account - and the iApp deployment went swimmingly well. I also verified that the machine account showed up in AD as a computer account. However, I am seeing these errors in the APM logs: May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> nlclnt[2a8e2c794]: is now initializing. May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil), my_name = "F5LAB", dest_host = "domaincontroller.domain.local", port = 445, service = "IPC$", service_type = "IPC", user = "F5LAB$", domain = "DOMAIN") May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil)) = 0xC000006D May 15 17:40:32 f5lab err nlad[6379]: 01620000:3: <0x56900b70> nlclnt[2a8e2c794] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 10.11.12.13 I also cannot renew the NTLM account password from the GUI as I get this error: Could not connect to domain domain controller of realm 'domain.local' machine account update for 'f5lab' failed: Preauthentication failed, principal name: f5lab@domain.local. Invalid user credentials. (-1765328360) I'm running on 12.1.3.4 and have tried the following: Recreated the NTLM account, multiple times. I know I have permissions as the account does show up in AD, and I do have domain admin level permissions Restarted the eca service (bigstart restart eca) Restarted the nlad service (bigstart restart nlad) Restarted the F5 appliance itself. Verified that the DNS settings are configured properly. The F5 is able to resolve the domain controller IP from the alias. No firewall exists between this F5 and the domain controller. Has anyone seen this and if so - can anyone point me in the right direction? I thought I'd try here before opening a support ticket with F5.
Outlook Anywhere and NTLM authentication
Hello, I am trying to achieve Outlook Anywhere with basic-NTLM and Kerberos SSO. I followed the DG and am stucked at NTLM authentication. When I create the NTLM Machine Account the logs say that it joined the domain, then I create the NTLM Auth Configuration with my domain and DCs. After that I see this messages in the logs: nlad[11851]: 01620000:3: <0x2b3374f71700> nlclnt[12a02a8c0] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 192.168. I added some Exchange groups to the machine account and enabled delegation for http with Exchange servers. I then try to renew machine account password but I have this error: adutil[16625]: 01490274:5: (null):Common:00000000: New master key received. adutil[16625]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'EXAMPLE.AD' adutil[16625]: 01490200:3: WARNING: machine account update for 'f5apm' failed: Preauthentication failed, principal name: f5apm@EXAMPLE.AD. Invalid user credentials. (-1765328360) Then I took a look at Kerberos trafic and could see that the bigip can't get a Kerberos ticket: At this step I am not even talking about Kerberos SSO which I think has nothing to do with NTLM. I have found K33692321 but it doesn't help. I also took a look at K08915521. It says that it may be a domain name or NetBIOS name issue but I know that my domain is EXAMPLE.AD and NetBIOS EXAMPLE. Does someone already managed to make this work ? It is a standard configuration so am I missing something Windows side ? Best regards
ECA plugin documentation in the wiki
I'm running 11.4.1 and trying to figure out NTLM auth. I'm following a guide I found on devcentral but it's not working for me. I see there's a plugin ECA that enables NTLM authentication, however the documentation is...well, not present. The Wiki says that 11.3.0 introduced "ECA::metadata" however when I try using that in my iRule I get a syntax error: 01070151:3: Rule [/XXX/ntlm-auth-iRule] error: /XXX/ntlm-auth-iRule:44: error: [undefined procedure: ECA::metadata][ECA::metadata select_ntlm:$static::ntlm_config] So apparently ECA::select works - by which I mean that I get no errors when I save the iRule. However, the iRule is not working. I am having a hard time troubleshooting because ECA is such a black box.
NTLM Authentication issue
Hi, I'm setting up APM for authentication for Exchange 2013. In certain scenarios NTLM authentication is used to authenticate the client, and SSO via kerberos at the back end. This all works fine. The issue is that the NTLM machine account password sometime expires and is not automatically renewed, causing NTLM auth to fail. If I manually re-new the password all is fine again. So my main questions is: Does F5 not automatically renew its NTLM machine auth password? The policy in AD for the machine account is all default settings (30 days lifetime I think). Side question: How is NTLM machine auth password synced in a HA environment? At the moment we use manual sync, and based on the timestamps for the NTLM machine auth password a new password is synced to the standby device when you sync configuration. Assuming you have renewed the password and NOT synced the configuration, and then failover to to the other BIGIP, will NTLM auth fail? (Thus requiring automatic sync?) ThanksMixed APM authentication
Hi Folks, I'm tasked to create a unified APM Policy which is able to support the authentication methods below. Forms (For Browsers) Negotiate via Kerberos-Ticket (for Kerberos enabled clients) Negotiate via NTLM (Fallback if Kerberos-Ticket can not obtained) NTLM (Fallback for Negotiate unaware clients) Basic (Fallback of last resort) Performing selectively Forms, Negotiate via Kerberos, NTLM and Basic can be easily adopted reading available information. But "Negotiate via NTLMSSP" is somehow not supported by F5, or at least I cant find any information how to teach APM or ECA to consume negotiated NTLMSSP messages. Before I start to develop a solution by myself, I would like to ask if someone has already a working iRule to support "Negotiate via NTLM" authentication as a fallback in the case the client is unable to provide Kerberos-Tickets (e.g. client is not domain joined, local useraccount is used, DC is not reachable, SPN does not exist, etc.)? Cheers, KaiAPM Forms-based logon with NTLM SSO Backend
I've been fighting this a bit and not finding the solution on other DevCentral Articles. Goal Synopsis: User opens internet portal page. Presented with Forms-based login page, user enters this username (e.g. firstinital.lastname) and password A chain of 5 AD forests is tested against this username. On Success, the F5 passes NTLM auth to a backend webserver, in this instance sharepoint 2016. What's working: Everything up until the SSO mapping/ntlm result which needs to be passed to sharepoint. Below is the flow I've made, NTLM auth result I threw in as a test, the message boxes are just debug to see which branch is hit without digging in logs. The All AD Auth is the AD chain I mentioned, I'm also assigning a variable after each success to set the session.logon.last.domain to the corresponding AD in case it's needed later in the chain. I'm also doing a basic 401 challenge for internal NTLM and redirecting to either internal or logon page based on client IP. Backend things: BIG-IP 13.1.1.2 Build 0.0.4 Point Release 2 NTLMv2 SSO is on the SSO cred mapping, however, it's targeting 1 domain only. This one domain is the hub in a hub/spoke AD trust layout, so any user from any domain can auth to it. I'm using iRules to handle the resource assignment since I'm directing to pools based on the hostname requested (we have a lot, it's annoying), but isn't an issue. I've not set up that one NTLM setting I can't remember off the top of my head that can only be done via TMM CLI because I could only find it mentioned in version 11 or older BIG-IPs. Next Steps: I'm really not sure, everything I've been finding says this should be working but it's not and I can't find anything on DevCentral that matches what I'm trying to do. It's all either been 401 challenge pages or something to do with SSO to MS Exchange. So I'm throwing this on here hoping someone has an idea as to what I'm missing.
APM different authentication mechanism based on Hostname
Hello, i wanted to know if it is possible to have for example two different authentication mechanism in one Access Profile and based on the URL which i enter the APM decides which one is used. Configuration: - One virtual server, assigned with the ECA profile in order to use NTLM authentication ltm virtual vs_app-login-sso { description "App for LDAP Login and NTLM SSO" destination 10.254.3.181:https ip-protocol tcp mask 255.255.255.255 pool pool_app-qual profiles { Login_SSO { } clientssl-insecure-compatible { context clientside } eca { } http_redirect_rewrite_all { } rba { } tcp { } websso { } } rules { irule_ECA_NTLM_Auth } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 17 } iRule: when HTTP_REQUEST { ECA::enable ECA::select select_ntlm:/Common/ntlm_auth } And here is the Access Profile: So the first entry point is "Landing URI", the profile should decide when i come with the Login URL it should use LDAP Login Page and if i come with the SSO URL it should use NTLM. Both authentication are working when they are used in seperate profiles but not combined in one. Is this possible or not? Hope everything is described clearly, if not just ask :) Thanks, ChristophNTLM pop-up after successful authentication.
We are trying to develop a APM policy that allows domain joined computer to use a kerberos ticket to login to a SAML based intranet website. Currently the login to the SAML based intranet website already works with form based authentication using Bigip as a SAML IDP. The new setup has the following problem: The authentication currently works as intended if we go directyly to the VIP "saml.demo.com" it authenticates without requesting credentials and shows us the webtop with a icon for the SAML based intranet site. If you click the link the SAML IDP initated auth does it jobs and you are logged in to the intranet website. The authentication has a issue when you do a SP initated SAML request from the intranet website to saml.demo.com. The 401 reponse does it jobs and creates a session on the Bigip. But after this has been completed the users gets a NTLM basic popup for credentials. If you enter the correct credentials in this box nothing happens afterwhorths. If you close the pop-up box, and without closing the browser go back to the intranet website and do a SP initiated SAML request again the previous established session gets used and the user gets redirected back to the intranet website with a SAML assertion and is logged in correctly. If you close the browser and open it again you can repeat the process. We are testing this with IE11 with the saml and intranet website added to intranet zone and auth. Logging shows a full completion of the APM policy and no errors are new 401 requests. The IE11 pop-up The APM policy looks as follows: Running version 12.1.2 HF1 Does anyone have an idea what creates this problem and how to solve it?
How do I pass IMAP(s) to APM for NTLM/AD Group Membership authentication?
My internal MS Exchange 2010 CAS and MB platforms are setup to enable IMAP globally to all domain users, and my v11.6 LTM is properly handling all the iApp features to support OWA, ECP, IMAP, ActiveSync, etc. internally as well. Externally, we have an additionally iApp that serves public-facing ActiveSync, as well as utilizes the APM functionality to limit OWA and Outlook Web access to specific Active Directory users. We now have a need to extend that 'limited' external use to IMAP as well, but have not been able to figure out how to configure an iRule that will pass SSL (tcp/993) NTLM-based IMAP user credentials into APM for pre-authentication, prior to allowing connectivity. I have found many examples that use "ACCESS::policy" and "ECA::enable" that I think are just what I need, but everything I have tried requires that I associate an Access Policy directly to the Virtual Server which then requires I associate a HTTP profile, breaking IMAP communications completely.
