Forum Discussion

MikeIs_61713's avatar
MikeIs_61713
Icon for Nimbostratus rankNimbostratus
Aug 03, 2011

Active Directory AAA server failing when just specify the domain name

Hi,

 

 

I am trying to setup an Active Directory AAA server on a BIG-IP Edge gateway to use when connecting to a web application. In defining the AAA server, I would just like to give the domain name, and let the edge gateway query DNS for the domain controllers for that domain.

 

 

Environment: BIG-IP Edge Gateway running 10.2.2 (Build 852). The edge's internal interface goes into to firewall, and DNS, Kerberos, LDPA and HTTP are allowed through the firewall to the dns sever/domain controller/web server.

 

 

When I configure the AAA server with just the domain name, and attempt to login, an error is returned that the edge gateway was unable to find a KDC for the domain (apologies, I do not have the exact message).

 

 

If I configure the AAA server with the IP address of one of the domain controllers, the login works fine.

 

 

Can anyone suggest why the edge is failing to connect to a KDC when I give just the domain name to the AAA server? Are there other ports I need to allow through the firewall??

 

 

Thanks in advance,

 

MikeI

 

  • Solution: The following seemed to fix the problems

    1. Allow LDAP UDP through firewall

    2. Update /etc/krb5.conf on the BIG-IP to enable dns lookup for the realm and kdc

     [libdefaults]
               default_realm = EXAMPLE.COM
               dns_lookup_realm = false
               dns_lookup_kdc = false
               ticket_lifetime = 24h
               forwardable = yes

    This then impacted AD Queries for authorisation, and we had to ensure that DNS could resolve both
        _kerberos-master._udp
        _kerberos._udp