kerberos and ntlm authentication using APM

Thank you Kevin,

 

 

1. I created a new user account in AD -- all lower case

 

2. Generated new keytab file with KRB5_NT_PRINCIPAL and uploaded to the AAA server config in APM

 

3. Verified Host and PTR records can be resolved by all units involved - Client machine, Domain Controller, F5 appliance, Webserver

 

4. Domain Controller (PDC) is configured as the NTP server of the F5 appliance to avoid time skew

 

5. I have checked the KVNO values in AD and the keytab file - it is a match

 

6. Tested keytab file using KList command - good

 

 

Still No good

 

 

Took a wireshark capture on the domain controller

 

 

I could see TGS kerberos request from the client machine to DC and DC sending back granted TGS ticket to client

 

Checked DNS traffic, I saw the F5 was looking for AAAA record which it does not find, then it asks for host A record which it resolves but I don't know what it does with it after that

 

On further analysis, we noticed traffic from F5 (e.g DNS lookup, TCP) are coming from the mgmt port of the appliance rather than the Self-IP configured on the LTM (which I believe APM is listening on)

 

Futhermore, the IP addres of the MGMT port is on the same VLAN as the Domain Controller. We are suspecting this could be the problem but we are yet to confirm. I will update you once we make the change of the MGMT Ip address to a diff VLAN.

 

 

Thanks you again for you response.