Forum Discussion
Bravo
Nimbostratus
NimbostratusAPM - authentication does not work when pool of AD servers are used
Dear All I am facing issue with APM AD authentication. Access ›› Authentication When i use single AD server, authentication works fine. The moment i change to pool of AD servers, it sto...
Amine_Kadimi
MVP
MVPCan you share configuration of AAA > AD for both working and not working configurations?
Do you have any relevant entries in access logs? Did you increase the log level of Access Policy to debug? (Configuring the BIG-IP APM Logging Levels (12.x and newer) (f5.com))
BravoNimbostratus
NimbostratusDear Amine
Please see the configurations.
The one used as "pool" is not working
The one used as "Direct" is working.
The logs shows as below:
01490010:5: /Common/Azure_AD_Servers:Common:f040bbbf: Username ''
Feb 25 13:19:24 exlb-f502.azure.com err apmd[14492]: 01490107:3: /Common/Azure_AD_Servers:Common:fb31d8a4: AD module: authentication with 'xxxx' failed: Cannot contact any KDC for realm 'ZZZ.COM', principal name: arul@ZZZ.COM (-1765328228)
Thank you
Arul
What is the status of the pool member?
I also think you should use a tcp health monitor with port 88 to make sure the DC is up and running.- Bravo
In the pool i am using single IP ( which is the same IP , when i use DIRECT)
In logs i notice this -
: /Common/Azure_AD_Servers:Common:a9df6506: Session variable 'session.ad.last.errmsg' set to 'Cannot contact any KDC for realm 'xxx.COM', principal name: arul@xxx.COM'
I have checked DNS and ntp settings too, still no good
Thank you
- Amine_Kadimi
I second KeesvandenBos on the health monitor. Additionally, I would not use any health monitor while troubleshooting, and instead use tcpdump and filter for traffic between APM and DCs and look for any packets going from APM to DC but not receiving any answer, look in particular for port 389 and 88.
