APM V11.1HF1 querying Active Directory

You will need to use an admin account in AD and turn off kerberos pre-authentication.

 

 

Also there is a "feature" in the APM you may need to be aware of.

 

 

When configuring an AD AAA Server do not enter a Domain Controller name that requires a DNS lookup.

 

 

For example if you do an nslookup for the domain controllers for my.domain.com

 

 

>nslookup my.domain.com

 

Server: ns1

 

Address: 192.168.0.1

 

 

Name: my.domain.com

 

Addresses: 10.1.1.1

 

10.1.1.2

 

10.1.1.3

 

10.1.1.4

 

 

In an effort to provide some fault tolerance I originally configured the AAA Server Domain Controller field to contain "my.domain.com" and then let DNS figure out which server to authenticate to. There is a small glitch in the APM Kerberos library which causes Kerberos to contact one server for it's token then try to authenticate the AD User against another server.

 

 

To work around this issue (took me a while) I decided to create a VIP for port 88 (kerberos) and point it at the domain controllers. I then entered the VIP IP address in the Domain Controller field. This for me is working well now and allows fault tolerance.

 

 

Another thing to note about the APM AD configuration is that the AD Query part is only limited to a single domain. I had confirmation from F5 that it's not really able to work through a whole AD forrest. So instead I used AD for authentication and LDAP for populating the session parameters including memberOf listing. AD Auth and AD Query don't have to go together and in a multi-domain environment and I would recommend the LDAP Query because in testing it worked faster.

 

 

There are a lot of "features" with the APM using AD but eventually I got a fully working multiple domain APM policy.