For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AndOs's avatar
AndOs
Icon for Cirrostratus rankCirrostratus
Apr 16, 2013

Can't change AD password through APM

Hi!     I'm having some problems with password change for expired AD passwords through APM.   Running on APM+LTM 11.2.1 build 797.   Using "AD Auth" in the access policies to authentica...
config
design
AndOs's avatar
AndOs
Icon for Cirrostratus rankCirrostratus
Apr 17, 2013
1. In your AD AAA, remove the pool and monitor and leave only the domain name and admin user/pass. DNS should be configured so that BIG-IP can resolve this domain name.

 

Use "Server Connection: Direct" instead of Pool?

 

I switched the AAA to Direct and entered one of our DCs instead of using a pool and password change started to work!

 

Packet capture now shows that it's talking UDP to DCs just like the test env.

 

It's still strange though that test uses a pool and everything works there.

 

 

2. Compare the /etc/krb5.conf file between test and prod. Do you see any significant differences?

 

There's no difference that I can see, except that we have one other domain in test env.

 

 

I see in /etc/krb5.com that it defines a few log files, but I can't find them under /var/log.

 

It it possible to turn on those logs?

 

[logging]

 

default = FILE:/var/log/krb5libs.log

 

kdc = FILE:/var/log/krb5kdc.log

 

admin_server = FILE:/var/log/kadmind.log

 

 

/Andreas