Forum Discussion
NimbostratusCan't change AD password through APM
Access policy uses AD Auth for authentication. AD AAA is using a pool with 2 members. I have priority group enabled. In the apm log it shows AD module: change password for 'username' failed: Password change rejected(4), result_string: (4). I've found an old post regarding this same issue and apparently a pool does not work. You must use Direct. An f5 rep mentioned best practice solution is to use Direct and add the domain name and admin account/pw but no domain controller? Sorry if this seems like a dumb question but how will AD natively load balance with no DC entered and only setup as direct? We really need a pool for redundancy in case one of our DCs is having an issue or down for maintenance. Or is it still a bug and just does not work with a pool? We are on 11.5.1
3 Replies
Try doing a packet capture while you are attempting the password change operation. I seem to recall was a very old defect where password changes failed when UDP 464 was blocked, and 11.5.1 is quite old. So perhaps this is the cause of the problem.
In any case, a packet capture should reveal the problem easily. Filter on port 464 (kpasswd), 88 (krb), and 53 (dns).
rgordon_01My mistake. It actually does work using a pool. The issue was due to a group policy not allowing a password to be changed again within a 24 hour period. Just so happened both the accounts we tried from already had the password changed that day. Sorry for the confusion. thanks!
Thanks for reporting back! Glad it's working.
