Forum Discussion

Raghbir_Sandhu's avatar
Raghbir_Sandhu
Icon for Altocumulus rankAltocumulus
Mar 30, 2021

AD Authentication Failing in APM

Following steps were taken. However, I am getting the error Common/devportal.kellogg.com_access_process:Common:eff7711c: AD module: authentication with 'testuser1' failed: Invalid format of Kerberos lifetime or clock skew string, principal name: xxxxxxx@abc.COM. Please verify Active Directory and DNS configuration. (-1765328136). I am struggling with this error for few days. However no success. Looking for answer from the experts. Please advise.

 

  1. Created a node for AD Domain Controller
  2. Created a Pool and added AD domain controller
  3. LDAP based health check working
  4. DNS setup working
  5. NTP setup and working
  6. AAA Active Directory Object created
  7. APM policy created with Active Directory authentication.
  8. Enabled APM Debug log.

 

Cheers,

Raghbir

5 Replies

  • Did the server team check that their AD server has the same time/clock values and also their logs? The issue will not always be the F5. Also check the hardware clock on the F5 device just in case:

     

    https://support.f5.com/csp/article/K3381

     

     

     

    Maybe also test if with LDAP there are no issue, you may use ldapsearch or adtest tool on F5 device as maybe the F5 is not telling us what is exact issue?

     

     

    If someone has better idea, please also share it.

     

     

     

    Also have you checked everything in :

     

     

    https://support.f5.com/csp/article/K24065228

     

    https://support.f5.com/csp/article/K40119818

    • Raghbir_Sandhu's avatar
      Raghbir_Sandhu
      Icon for Altocumulus rankAltocumulus

      Thanks for the reply. I have check the HW and Systems time. They were different, however now HW and Systems time is with in 3 second. The other thing is, i am able to authenticate using LDAP AAA (not Active Directory). I used the same AD servers. But authentication failed with Active Directory AAA.

       

      One question I have, Can we use the AAAA LDAP authentication for Kerberos SSO with the Kerberos SSO profile.

       

      Any suggestion.

      • Nikoolayy1's avatar
        Nikoolayy1
        Icon for MVP rankMVP

        Still better to ask also the server team to check their AD logs and so on. See this "Table 3.1 Client-side and server-side authentication method support matrix" on the link below:

         

        https://support.f5.com/csp/article/K08200035#link_02

         

         

        Basically on the F5 device you use for the client side authentication the apm web form (webtop) or HTTP Basic and the server side authentication (SSO) can be KERBEROS.

         

         

         

  • For future issues follow this article https://support.f5.com/csp/article/K40119818 . So the SSO worked for you and the server team couldn't help with the SAML or AD authentication ?