Forum Discussion
AD authentication with LDAPS
- Feb 11, 2020
Been some time but didn't have time to test it out. I tried with Pool but same result.
Logged a support case and they confirmed it's not possible with AD auth. They said they know the security patch is coming and are working on something. It should be there before the Microsoft security patch is released.
There is a VS1 that has an APM policy that uses an AAA (AD) object to authenticate users.
I created a separate internal VS2 with ARP off on the virtual address (Layered VS in F5 terms). This layered VS is setup with a server ssl profile and contains a pool with the real AD servers as members.
In the APM AAA (AD) object used in the APM policy on VS1 I used the IP address of VS2 in order to be able to do LDAPS requests to the backend AD servers.
Then when I test with adtest tool or even by trying to authenticate to VS1 I see the packets being sent towards the MAC address of the next hop and not towards VS2? Why isn't it sent to the internal VS2?
In the logs it's shown that the F5 tried to reach the AD server but not KDC principal name was found
Can you understand the setup now?
Ok, got it.
Last question (and sorry for being so insistent).
In the APM AAA (AD) object used in the APM policy on VS1, do you have the VS2 IP in "Use pool" or in "Direct"?
Other than that, with this procedure i think it should work:
I´ll try it in the lab if i have time later today.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com