For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AndOs's avatar
AndOs
Icon for Cirrostratus rankCirrostratus
Apr 16, 2013

Can't change AD password through APM

Hi!     I'm having some problems with password change for expired AD passwords through APM.   Running on APM+LTM 11.2.1 build 797.   Using "AD Auth" in the access policies to authentica...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 14, 2013

AD auth\query use Kerberos on the back side. I have observed that the AD AAA uses DC pool members like a SNAT pool, where one address is exhausted before moving to the next one. If this causes a problem on the DC, the AAA will mark the IP as offline for several minutes. A "best practice" solution is to select Direct in the AD AAA configuration, add the Domain Name in uppercase, and the admin account/password. AD will natively load balance itself and return the best DC for the job in an SRV query response.