0 votes

I am trying to build a 3 node HA/DR setup with 2 nodes behind an F5 at our main colo and then the 3rd at our DR site...having issues with the SSO for the selfservice...before I put it behind the F5 I am having issues with node 2 working with the shared FQDN...Ideally I would like something like password.domain.local to point to the VIP and then if something should happen, have a short TTL and execute a DNS change to our DR site (till we get F5 GTMs)

thoughts???

oh and if I goto the server by shortname, SSO works...both boxes are trusted for delegation and SPNs are identical excluding ports...

the methods I am testing with is adjusting with HOSTS and the A record, verifying its flushed and TTL has WELL expired

:roll:

by (490 points)

1 Answer

0 votes
by (215k points)

Hello,

Adaxes uses the Kerberos authentication mechanism for SSO. Take a look at the following article that describes how to set up Kerberos delegation with F5: http://support.f5.com/kb/en-us/products ... ation.html. Make sure that you've completed all the steps listed in the article to enable Kerberos authentication in your F5 farm.

Also, if you performed all the steps as described in the article, but still cannot get SSO working, the reason can be that the Kerberos ticket cache on your computer is full. Try purging the Kerberos ticket cache on the computer, from which you are trying to view the Web Interface. For this purpose, do the following:

  1. On the computer, from which you are trying to access Adaxes Web Interface, start Windows Command Prompt (cmd.exe).
  2. In the Command Prompt console, type:
    klist purge
  3. Press Enter.
  4. Answer Yes (Y) to all confirmations.

Related questions

0 votes
1 answer

I've got a few questions regarding the setup for the web interface and admin console in the DMZ found here. If we don't want the Admin Console accessible outside the network ... users also hit the RODC in the DMZ or would they use the internal DCs? Thanks!

asked May 5, 2020 by scoutcor (100 points)
0 votes
1 answer

Try to look into extending the timeout of the web interface on Adaxes

asked Jul 7 by Vish539 (140 points)
0 votes
1 answer

Hi there, I am just wondering if it is possible to change the URL slug of the web interface URL's. For example, when browsing to a user, the slug is: https://adaxes. ... object ID to not expose this kind of information. Is there a way to achieve this? Thanks.

asked Mar 29 by bjorn19 (20 points)
0 votes
1 answer

I'm trying to provide the capability for ID admin users to perform AD tasks using the web interface. I am not able to edit attributes for an existing user when ... any attribute it gives me an error "An unexpected response was received from the server".

asked Apr 8, 2021 by atnorman (120 points)
0 votes
0 answers

After updating from 2020.1 to 2021.1, my IIS keeps throwing a 404 not found error when attempting to access the Web interface configurator. I'm thinking that the path could be wrong or something could be missing?

asked Mar 9, 2021 by blauprgy (20 points)
2,779 questions
2,512 answers
6,574 comments
25,881 users