Forum Discussion

sanjai_126162's avatar
sanjai_126162
Icon for Nimbostratus rankNimbostratus
Feb 05, 2016

couldnt find sso domain

Hi All,

 

We are migrating some application from TMG to F5.am facing issue in SSO for all the application eg :sharepoint application.my APM policy is start--> logon page--> AD auth--> SSO--> Allow

 

SSO credintal mapping setting username source:session.logon.last.username username realrm source:session.logon.last.domain Kerberos Realm :abc.net kdc:server name ad acc name:host/s-ltm-prd@abc.net SPN pattern:HTTP/%s@PMINTL.NET

 

Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_REQUEST Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_REQUEST_DONE Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_SESSION_RESULT Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_SESSION_RESULT Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_SESSION_RESULT Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0041:7: 6796e02d: Could not find SSO domain, check variable assign agent setting Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a9069a8, SERVER: TMEVT_REQUEST Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a9069a8, SERVER: TMEVT_RESPONSE Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_RESPONSE Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: Looking for Set-Cookie headers to merge into client response. Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_RESPONSE_DONE Feb 5 21:15:48 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: sso_disable: 1, _needAuth: 0 Feb 5 21:15:49 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_ABORT_PEER Feb 5 21:15:49 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: ctx: 0x5a918388, CLIENT: TMEVT_ABORT_PROXY Feb 5 21:15:49 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: webssoContext destructor ... Feb 5 21:15:49 XXXXXXXLTMdebug websso.0[9299]: 014d0001:7: webssoConfig destruct

 

could you please help on this

 

APM
devops

5 Replies

Sort By
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Apr 23, 2016

    Hello,

     

    Your Domain SSO variable looks like to be not assigned : session.logon.last.domain

     

    SSO Credential Mapping doesn't set this variable.

     

    Did you add an additional user input within your logon page ? or did you activated "Split domain from full Username" option on the logon page ?

     

    You can also manually assign this variable by adding a variable assign block within the VPE.

     

    • The-messenger's avatar
      The-messenger
      Icon for Cirrostratus rankCirrostratus
      Sep 13, 2017

      How do you set this value with kerberos? I have tried several variable assign entries and I still get Could not find SSO domain, check variable assign agent setting in the session.

       

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Apr 23, 2016

    Hello,

     

    Your Domain SSO variable looks like to be not assigned : session.logon.last.domain

     

    SSO Credential Mapping doesn't set this variable.

     

    Did you add an additional user input within your logon page ? or did you activated "Split domain from full Username" option on the logon page ?

     

    You can also manually assign this variable by adding a variable assign block within the VPE.

     

    • The-messenger's avatar
      The-messenger
      Icon for Cirrostratus rankCirrostratus
      Sep 13, 2017

      How do you set this value with kerberos? I have tried several variable assign entries and I still get Could not find SSO domain, check variable assign agent setting in the session.

       

  • Andrew_'s avatar
    Andrew_
    Icon for Nimbostratus rankNimbostratus
    Apr 16, 2021

    Apologies for adding to an old thread but this came up in my Google search for the sso domain error. So for completeness here is some more details that will hopefully help new F5 admins like myself.

     

    I used this guide to set up a test SSO: https://support.f5.com/csp/article/K41357230

     

    But I was getting an SSO credentials error when looking at the logging:

    "SSO username is empty - SSO is disabled"

    "Could not find SSO username, check SSO credential mapping agent setting"

    "Could not find SSO password for user '', check SSO credential mapping agent setting"

     

    To resolve this I had to add "SSO Credential Mapping" after my AD Auth in the VPE (visual policy editor).

     

    This resolved the above errors but I was still receiving the "session.logon.last.domain" empty error as Yan mentioned above the fix is to add an "Variable Assign" after the SSO Cred map that contains:

     

    Custom Variable-> session.logon.last.domain

    Custom Exression-> <your domain> e.g. mydomain.local

     

    Then SSO worked fine to an IIS server with NLMv2 auth.

     

    I am unsure why the F5 Guide at the top did not work without adding the additional VPE items?