Forum Discussion

Nimbostratus

Feb 26, 2024

APM - authentication does not work when pool of AD servers are used

Dear All I am facing issue with APM AD authentication. Access ›› Authentication When i use single AD server, authentication works fine. The moment i change to pool of AD servers, it sto...

application delivery

Amine_Kadimi

MVP

Feb 26, 2024

Can you share configuration of AAA > AD for both working and not working configurations?

Do you have any relevant entries in access logs? Did you increase the log level of Access Policy to debug? (Configuring the BIG-IP APM Logging Levels (12.x and newer) (f5.com))

Bravo
Nimbostratus
Feb 27, 2024
Dear Amine
Please see the configurations.
The one used as "pool" is not working
The one used as "Direct" is working.

The logs shows as below:
01490010:5: /Common/Azure_AD_Servers:Common:f040bbbf: Username ''
Feb 25 13:19:24 exlb-f502.azure.com err apmd[14492]: 01490107:3: /Common/Azure_AD_Servers:Common:fb31d8a4: AD module: authentication with 'xxxx' failed: Cannot contact any KDC for realm 'ZZZ.COM', principal name: arul@ZZZ.COM (-1765328228)

Thank you
Arul
- KeesvandenBos
  MVP
  Feb 27, 2024
  What is the status of the pool member?
  I also think you should use a tcp health monitor with port 88 to make sure the DC is up and running.
  - Bravo
    Nimbostratus
    Feb 27, 2024
    In the pool i am using single IP ( which is the same IP , when i use DIRECT)
    
    In logs i notice this -
    : /Common/Azure_AD_Servers:Common:a9df6506: Session variable 'session.ad.last.errmsg' set to 'Cannot contact any KDC for realm 'xxx.COM', principal name: arul@xxx.COM'
    
    I have checked DNS and ntp settings too, still no good
    
    Thank you