Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos
Accepted Solution

SA with NLB

hi all,

 

We are trying to deploy the web application for CRM 2011 with netowrk load balancer (NLB) under our SSLVPN , there is no problem to access the CRM via NLB on internal workstation. After the configuration under our SA, we can see the link after logon the SA, then i clicked the link, it keeps prompt us enter the logon and password even i typed in the correct id and password.

Any special setting it needs?

 

And our SSLVPN is SA 4500 with 7.1R2 (build 18193) and NLB is F5 1600.

 

Thanks,

Kat

 

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: SA with NLB

are you staying on the same system? if you bypass the NLB, does it work?

what does your user access log show?

are you trying to do SSO as well?

Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

Yes, I stayed at same environment, if it points to either one of the host, it is working fine. And it is working fine as well then without SSLVPN.

 

How to check the user log, as i'm just a beginner of SA.

 

Yes, I applied SSO already.

 

how I start to troubleshoot?

 

Regards,

Lawpak

Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

I find a minor ERR24617

 

2012-06-21 14:47:37 - XXXXX-SA-01 - [202.XX.XX.XX] XXXXXXX\kat.law(XXXXX Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.XXXXX.COM, host crm_vpn.hk.aedas.com failed: Fetch TGS fetch error: Server not found in Kerberos database

  

Does it related?

 

regards,

Lawpak

Trusted Expert
Posts: 384
Registered: ‎08-09-2011
0 Kudos

Re: SA with NLB

Hi Lawpak,

 

Does CRM access working if you disable the SSO.

 

I believe that you are using Kerbroes SSO, "Server not found in Kerberos database" can come if the KDC(Key Distribution Center) could not translate the SPN (Server Principal Name) from the KDC request into an account in the Active Directory. This generally happens due to multiple SPN created for the service on domain controller.

 

Please use the below KB to reolves the issue:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17804&cat=ssl_vpn&actp=LIST&smlogin=true

 

Also instead of using kerbroes SSO can you try using NTLM if possible

 

Hope this helps.

 

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan


 

 

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: SA with NLB


lawpak wrote:

I find a minor ERR24617

 

2012-06-21 14:47:37 - XXXXX-SA-01 - [202.XX.XX.XX] XXXXXXX\kat.law(XXXXX Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.XXXXX.COM, host crm_vpn.hk.aedas.com failed: Fetch TGS fetch error: Server not found in Kerberos database

  

Does it related?

 

regards,

Lawpak


yes, that means that crm_vpn.hk.aedas.com does not exist as a server in your environment that the user has access to for KDC intermediation.

officially, Microsoft does not support SSO with KDC using load balancing as each server needs to be listed. I have heard of it working as long as an alias exists for that server in the AD database.

Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

[ Edited ]

Hi Kannan,

 

I tried the command "setspn -x" on my DCs, but the result look like there is no "-x" option, the result is listed on below:

(My AD version is 2003)

 

And i have tested it without SSO also, it still keeps prompt me to input login ID and password.

 

regards,

lawpak

 

-------------------------------------

setspn -x

 

Usage: setspn [switches data] computername   Where "computername" can be the name or domain\name

  Switches:    -R = reset HOST ServicePrincipalName     Usage:   setspn -R computername    -A = add arbitrary SPN     Usage:   setspn -A SPN computername    -D = delete arbitrary SPN     Usage:   setspn -D SPN computername    -L = list registered SPNs     Usage:   setspn [-L] computername Examples: setspn -R daserver1    It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}" setspn -A http/daserver daserver1    It will register SPN "http/daserver" for computer "daserver1" setspn -D http/daserver daserver1    It will delete SPN "http/daserver" for computer "daserver1"

-------------------------------------

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: SA with NLB

are you using servert 2003 or 2008?

Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

our DC is windows 2003 and AD version is 2003 as well.

 

regards,

lawpak

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: SA with NLB

Does your NLB name exist as one of your delegated hosts? If not, you need to get that set
Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

HI Zanyterp,

 

No, actually, there is no any binding for the web site, and it is working fine under our internal network but sslvpn.

 

I have tested after added the delegated host to the web stie, but it is failure, it kept prompt me enter the id and password.

 

regards,

lawpak

 

 

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: SA with NLB

I'm not sure how it is working without a bonded host. What does your user access log show now with the changes made?
Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

Hi,

 

the following is the user log:

 

thanks,

lawpak

 

Info AUT22886 2012-06-22 11:20:20 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Session timed out for DOMAIN\kat.law/Domain Users (session:00000000) due to inactivity (last access at 11:04:23 2012/06/22). Idle session identified during routine system scan. Info WEB20174 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest completed, GET to http://crm:5555//domainCRMProdEnv/m from 192.168.101.216 result=401 sent=31 received=0 in 0 seconds Minor ERR24617 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.domain.COM, host crm failed: Fetch TGS fetch error: Server not found in Kerberos database Minor ERR24617 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.domain.COM, host crm.hk.domain.com failed: Fetch TGS fetch error: Server not found in Kerberos database Info WEB20169 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest ok : Host: crm, Request: GET /domainCRMProdEnv/m HTTP/1.1 Info WEB24618 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Web SSO: Fetched Kerberos TGT Ticket Client: kat.law@HK.domain.COM, Server: krbtgt/HK.domain.COM@HK.domain.COM, auth 06/22/12 11:04:39, start 06/22/12 11:04:39, end 06/22/12 21:04:39, renew 01/01/70 07:00:00, current 06/22/12 11:04:39 Info WEB20174 2012-06-22 11:04:28 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest completed, GET to http://crm:5555//domainCRMProdEnv/m from 192.168.101.216 result=401 sent=31 received=0 in 0 seconds Info WEB20169 2012-06-22 11:04:28 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest ok : Host: crm, Request: GET /domainCRMProdEnv/m HTTP/1.1 Info AUT22670 2012-06-22 11:04:23 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Login succeeded for DOMAIN\kat.law/Domain Users (session:00000000) from 10.0.0.1. Info AUT24326 2012-06-22 11:04:22 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[] - Primary authentication successful for DOMAIN\kat.law/Domain AD from 10.0.0.1 Info AUT22673 2012-06-22 11:04:10 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Logout from 10.0.0.1 (session:00000000)

Recognized Expert
Posts: 416
Registered: ‎11-25-2009
0 Kudos

Re: SA with NLB

Hi Kat,

 

Can you please take a session recording and policy trace recording web policies when SSO is disabled for the CRM resource and attach here.This will determine the authentication used by the backend reource and we can configure SSO policies based on that

 

Note : you can try the below setting and see if it helps

 

under SSO policies,BasicAuth,NTLM and Kerberos policies, please make sure that you exclude the role we are using from the initial basic auth or no SSO policy

 

Try configuring NTLM and basic SSO policies for the resource and move it to the top and apply it to the role, we do not know at this point of time what authentication methods the backend is doing so we can try both NTLM and basic and test, the session recording will show the auth methods supported

 

Thanks,

Jai

Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

Hi Jai,

 

Attached the log we tested.

 

Thanks

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: SA with NLB

does it work from a computer or is it the same results as the iphone lof you attached?

from the user access log you attached, you are continuing to try and configure auth for a server that doesn't exist

Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

Both desktop and iphone doesn't work until I changed the Resource address to IP instead of alias under AutopolicySmiley FrustratedSO

 

Any way I can use alias but not ip address ? Attached the screen shot for your ref.

 

Thanks

Recognized Expert
Posts: 416
Registered: ‎11-25-2009
0 Kudos

Re: SA with NLB

Hi Kat,

 

Thanks,

 

The authentication suppoted on backend is both kerberos and NTLM

 

2 suggestions:

 

1. Please use FQDN for the resource bookmark and do not use shortname CRM as SSO policy might not get applied correctly

 

2. Define a NTLM SSO policy for the resource which is defined as FQDN

 

To define one, go to Web-->resource polices SSO General, go to NTLM and enable it, enter your domain, variable username <USERNAME> and variable password <PASSWORD> and create an NTLM SSO policy for the resource with credential selected as the one we created

 

Regards,

Jay

Contributor
Posts: 17
Registered: ‎06-07-2012
0 Kudos

Re: SA with NLB

Thanks Jay, it look working fine.

Visitor
Posts: 5
Registered: ‎02-03-2010
0 Kudos

Re: SA with NLB

Please could you provide all setting about crm 2011 on your SA ?

 

I have some problem, when a click on the link of my bookmark, the crm is not load corretly. Advanced search does not work corretly.

 

Thanks,