Forum Discussion

Christian_Nishi's avatar
Christian_Nishi
Icon for Nimbostratus rankNimbostratus
Aug 09, 2019

HTTP 401 Response - Missing Split domain from full username - V13.1.1.4

Hi there F5 community,

 

I'm struggling with an authentication error. Currently I'm using a logon page with the option "Split domain from full username" and it's working, for another scenario, I need to use a HTTP 401 Response, but I don't have that option and AD auth is trying to contruct the user and fails:

 

 AD module: authentication with '<domain>\\<username>@<fqdn domain>' failed: Client '<domain\\<username>\@<fqdn domain>@<fqdn domain>' not found in Kerberos database, principal name: <domain\\<username>\@<fqdn domain>@<fqdn domain>. Please verify Active Directory and DNS configuration. (-1765328378)

I have a multi domain environment, the AD Auth is configured wih Cross Domain Support enabled and Trusted Domains. There is any way to workaround this or set the split using variables in order to successfully authenticate? Thanks in advance.

 

Regards,

Christian

 

APM
application delivery

5 Replies

Sort By
    • Christian_Nishi's avatar
      Christian_Nishi
      Icon for Nimbostratus rankNimbostratus
      Sep 02, 2019

      I tried with several combinations, but still no luck

      session.logon.last.username and session.logon.last.logonname are using the right user (Domain\User)

      Looking on the APM log, I see:

       

      Username 'mydomain\myuser'

      AD module: authentication with 'mydomain\\myuser@trusteddomain'  failed: Client 'mydomain\\myuser\@trustedomain@trusteddomain' not found in Kerberos database, principal name: mydomain\myuser@trustedomain. Please verify Active Directory and DNS configuration. (-1765328378)

       

      I have a multidomain environment, AD auth is configured with Trusted Domains and looks like is using the default domain to complete the user name. Can't find a way to use the last.logonname or last.username agains the AD Auth...

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 10, 2019

    you can always do the splitting yourself via the APM Visual Policy Editor

     

    an awesome introduction can be found here:

    https://f5-agility-labs-iam.readthedocs.io/en/latest/class8/module4/module4.html

     

    specially about splitting with VPE can be found here:

    https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107

     

     

    • Christian_Nishi's avatar
      Christian_Nishi
      Icon for Nimbostratus rankNimbostratus
      Aug 13, 2019

      Thanks a lot! I'm doing some test right now, do you know the variable that AD Auth consume to perform the authentication?

  • Dave_W's avatar
    Dave_W
    Icon for Employee rankEmployee
    Sep 12, 2019

    Hello Christian,

     

    1. Since this multidomain with cross domain enabled do the 2 domains have 2 way Transitive trust?
    2. Are saying that the username sent to the second domain is Domain_2\username?