For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jonathan_Galent's avatar
Jonathan_Galent
Icon for Cirrus rankCirrus
Aug 19, 2015

APM Active Directory Change Password

Hi,

 

I have an APM 11.6.0 policy configured to authenticate against Active Directory (working fine) using a 2012 R2 domain controller. I try to enable the password_change checkbox in the logon page settings (works fine, box shows up, can enter credentials and password to change) but the password change fails.

 

I did a packet capture and it looks like Kerberos is failing with this error:

 

KRB_ERROR_RESPONSE_TOO_BIG

 

I have Kerberos pre-auth set to AES256. Looks like kerberos is using UDP. I tried creating a new user for kerberos to authenticate that was only apart of Domain Admins (there was an article here)

 

I had set this up previously in a different lab on 11.5.x and it was working fine (think that was a 2012 non R2 domain controller however)

 

Any help appreciated! If it makes any difference, it is an AWS F5 AMI.

 

aws
BIG-IP Access Policy Manager (APM)
cloud
deployment
security

2 Replies

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Aug 20, 2015

    The UDP failure is standard, it will then use TCP if we get the UDP failure. Do you see anything after the UDP error running on TCP? Do you have an admin user created in the AAA with sufficient privileges to change passwords?

     

    Seth