APM - authentication does not work when pool of AD servers are used

Question

Dear AllI am facing issue with APM AD authentication.&nbsp;Access &nbsp;›› &nbsp;Authentication&nbsp;When i use single AD server, authentication works fine.The moment i change to pool of AD servers, it stops working.( i tried adding only the known working AD server)&nbsp;I am just using a simple APM policy.Please help.&nbsp;Thank you&nbsp;

amine_kadimi · Answer

Can you share configuration of AAA &gt; AD for both working and not working configurations?
Do you have any relevant entries in access logs? Did you increase the log level of Access Policy to debug? (Configuring the BIG-IP APM Logging Levels (12.x and newer) (f5.com))

bravo · Answer

Dear AminePlease see the configurations.The one used as "pool" is not workingThe one used as "Direct" is working.&nbsp;The logs shows as below:&nbsp;01490010:5: /Common/Azure_AD_Servers:Common:f040bbbf: Username ''Feb 25 13:19:24 exlb-f502.azure.com err apmd[14492]: 01490107:3: /Common/Azure_AD_Servers:Common:fb31d8a4: AD module: authentication with 'xxxx' failed: Cannot contact any KDC for realm 'ZZZ.COM', principal name: arul@ZZZ.COM &nbsp;(-1765328228)&nbsp;Thank youArul

keesvandenbos · Answer

What is the status of the pool member?I also think you should use a tcp health monitor with port 88 to make sure the DC is up and running.

bravo · Answer

In the pool i am using single IP ( which is the same IP , when i use DIRECT)&nbsp;In logs i notice this -&nbsp;: /Common/Azure_AD_Servers:Common:a9df6506: Session variable 'session.ad.last.errmsg' set to 'Cannot contact any KDC for realm &amp;#39;xxx.COM&amp;#39;, principal name: arul@xxx.COM'&nbsp;I have checked DNS and ntp settings too, still no good&nbsp;Thank you

amine_kadimi · Answer

I second KeesvandenBos on the health monitor. Additionally, I would not use any health monitor while troubleshooting, and instead use tcpdump and filter for traffic between APM and DCs and look for any packets going from APM to DC but not receiving any answer, look in particular for port 389 and 88.

Forum Discussion

APM - authentication does not work when pool of AD servers are used

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Selective mutual authentication by HTTP::Host

How does F5 process a traffic

Does Websafe include Datasafe?

On an LTM virtual server, does i-rule processing preceed the connection profile or is it the other way around?

Authentication via Azure AD blocked by Access policy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS