Forum Discussion

MikeIs_61713's avatar
Icon for Nimbostratus rankNimbostratus
Aug 03, 2011

Active Directory AAA server failing when just specify the domain name




I am trying to setup an Active Directory AAA server on a BIG-IP Edge gateway to use when connecting to a web application. In defining the AAA server, I would just like to give the domain name, and let the edge gateway query DNS for the domain controllers for that domain.



Environment: BIG-IP Edge Gateway running 10.2.2 (Build 852). The edge's internal interface goes into to firewall, and DNS, Kerberos, LDPA and HTTP are allowed through the firewall to the dns sever/domain controller/web server.



When I configure the AAA server with just the domain name, and attempt to login, an error is returned that the edge gateway was unable to find a KDC for the domain (apologies, I do not have the exact message).



If I configure the AAA server with the IP address of one of the domain controllers, the login works fine.



Can anyone suggest why the edge is failing to connect to a KDC when I give just the domain name to the AAA server? Are there other ports I need to allow through the firewall??



Thanks in advance,




1 Reply

  • Solution: The following seemed to fix the problems

    1. Allow LDAP UDP through firewall

    2. Update /etc/krb5.conf on the BIG-IP to enable dns lookup for the realm and kdc

               default_realm = EXAMPLE.COM
               dns_lookup_realm = false
               dns_lookup_kdc = false
               ticket_lifetime = 24h
               forwardable = yes

    This then impacted AD Queries for authorisation, and we had to ensure that DNS could resolve both