Kerberos Delegation and NTLM auth Exchange 2013

hey Mike, thanks for tagging along here. I do have two different iApps configured the exact same way, the only difference being my VS IP is different. One public IP and one internal IP. I did not reuse any profiles while configuring the 2nd iApp, everything was newly created. I am authenticating with my user account in both scenarios. I had the issue before where iRules did not carry over correctly and profiles were in different partition paths but that is not the case currently. I know my DC connectivity is fine because I am using the same domain controllers for both the external and internal iApps, internal works, external does not. The logs almost indicate that the problem is internal to the BigIP since it's using the loopback IP and trying to open a service to respond to the logon request. I do have a case open for this. C1898067. Thanks for the help! I can get you full logs too if you think it will help. That is the fork in the road though between success and failure. everything prior to in the APM log file is exactly the same for that connection.

and again the interesting part about this is when I initially configured the iApp everything worked as expected. It wasn't until after a period of time where it would fail. I am at a loss right now.

That is unusual, and this not a use case that we've specifically tested; normally we'd see APM deployed only for the external clients. You've said you created new APM configs for both; are you using the same delegation and machine accounts for both configs? After it stops working, if you run "bigstart restart websso" on the BIG-IP, does it start working again? I looked at your case but couldn't find an iHealth upload for it. If you can post one I will take a look.

Do you know the impact of this? I see the definition of this service in the documentation, but would this impact communications with other AAA services, for example, for my citrix users that point to back end DC for authentication? Or this is only for access policies where an ntlm profile is assigned?

well I tried it anyway. It didn't fix the issue and actually now the internal connection fails as well with the same error.

Do you know the impact of this? I see the definition of this service in the documentation, but would this impact communications with other AAA services, for example, for my citrix users that point to back end DC for authentication? Or this is only for access policies where an ntlm profile is assigned?

well I tried it anyway. It didn't fix the issue and actually now the internal connection fails as well with the same error.

Got it, this is very helpful, I did not know that the client[] referenced a service-id under the ntlm auth config. How can I show this config via command line? I will check documentation on this as well. I did attempt to renew the machine account password previously (a few days ago) and it was successful. However after I restarted nlad yesterday, I started to receive ECA debug errors as well. So I figured I'd restart ECA as well, with no change, both ntlm auth attempts fail for both internal and external iApps. After that I figured like you said to just start from scratch on the ntlm auth config. I attempted to renew the machine account password, it failed. I tried to remove the account which also failed (but likely because it is tied to an access policy already). I tried to create a new machine account which also failed. NEW ECA Debug logs on failed OA exchange connection: Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_OPEN Aug 14 07:58:17 JHHCF5 info eca[16121]: 0162000b:6: [Common] 10.1.12.9:63069 New connection on virtual /Common/exchange_int_iapp.app/exchange_int_iapp_combined_https Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_REQUEST Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) 6 headers received, iov_count: 1 Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: :method: RPC_OUT_DATA Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: :uri: /rpc/rpcproxy.dll?VMCAS01.jhhc.com:6002 Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: Host: email.jhhc.com Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: Cookie: OutlookSession="{89DE0638-A161-4C6E-8E7E-AB53F2AAB02D} Outlook=14.0.7108.5000 OS=6.1.7601" Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: :custommeta: select_ntlm:/Common/exchange_int_iapp.app/exch_ntlm_combined_https Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Received metadata (select_ntlm:/Common/exchange_int_iapp.app/exch_ntlm_combined_https) Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: eca_module_ntlm.cpp:770 ntlm_cfg_process_op_find_set_cfg, err = ECA_ERR_NOT_FOUND Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: eca_module_ntlm.cpp:728 ntlm_cfg_handler, err = ECA_ERR_NOT_FOUND Aug 14 07:58:17 JHHCF5 err eca[16121]: 0162000e:3: Invalid argument (/Common/exchange_int_iapp.app/exch_ntlm_combined_https) Aug 14 07:58:17 JHHCF5 err eca[16121]: 0162000e:3: Invalid metadata (select_ntlm:/Common/exchange_int_iapp.app/exch_ntlm_combined_https) Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_REQUEST_DONE Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_ABORT_PROXY Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_CLOSE Aug 14 07:58:17 JHHCF5 info eca[16121]: 0162000b:6: [Common] 10.1.12.9:63069 Connection is closed At this point I went ahead and changed the NTLM auth settings to basic for the iApp just so I can remove the NTLM machine account. When attempting to recreate, here are the debug APM logs upon creation attempt (I think these are the relevant logs). Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/Sys.cpp func: "queryIpv6Preference()" line: 121 Msg: Retrieving Sys::Dns Info Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 436 Msg: Querying for config: Class: 4826 Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4827 = /Common/dns Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4829 = include Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4830 = dns Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4828 = Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 01490175:5: Prefer resolving hostname with IPv4 address Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: Using the following server settings: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: domain name = 'JHHC.COM' Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: domain controller = 'JHHCDC01.JHHC.COM' Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: admin name = 'gricketts1' Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: admin password = ****** Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: PADATA encryption type = Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: none Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: Other settings specified for the test: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: test type: AD Domain Join Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: userName: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: concurrency: 1 Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: CCache file root: /var/run/krb5cc Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: output file: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: urlDecoded: 0 Aug 14 08:12:31 JHHCF5 err adutil[30741]: 01490200:3: thread 0 started Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/Sys.cpp func: "getIpv6Preference()" line: 46 Msg: Prefer IPv6: false Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 0149019d:7: Using '127.0.0.1' as a Name Server Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 0149019d:7: verifyKrb5Cache(): Credentials cache file '/var/run/krb5cc/ADTest/krb5cc_0_apmd' not found, func=krb5_cc_set_flag(0), ticket cache FILE:/var/run/krb5cc/ADTest/krb5cc_0_apmd Aug 14 08:12:49 JHHCF5 err adutil[30741]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'JHHC.COM' Aug 14 08:12:49 JHHCF5 debug adutil[30741]: 0149019d:7: do_connect: error = -1 Aug 14 08:12:49 JHHCF5 err adutil[30741]: 01490200:3: ERROR: domain join for 'JHHC-F5' failed: (0) Aug 14 08:12:49 JHHCF5 debug adutil[30741]: 0149019d:7: (): (0) Aug 14 08:12:49 JHHCF5 debug adutil[30741]: 0149019d:7: Aug 14 08:12:49 JHHCF5 notice adutil[30741]: 0149019f:5: thrd_id[0]: succ_cnt=0, fail_cnt=1 All I get from the logs is it failed bc it could not connect to the DC. Same error I get in the GUI. Not sure why, the domain controllers are available and actively processing AAA requests for other services. I am using the same DA account I used previously to create the last machine account. Any help is appreciated, I am almost to the point where I should just bounce the box.

Got it, this is very helpful, I did not know that the client[] referenced a service-id under the ntlm auth config. How can I show this config via command line? I will check documentation on this as well. I did attempt to renew the machine account password previously (a few days ago) and it was successful. However after I restarted nlad yesterday, I started to receive ECA debug errors as well. So I figured I'd restart ECA as well, with no change, both ntlm auth attempts fail for both internal and external iApps. After that I figured like you said to just start from scratch on the ntlm auth config. I attempted to renew the machine account password, it failed. I tried to remove the account which also failed (but likely because it is tied to an access policy already). I tried to create a new machine account which also failed. NEW ECA Debug logs on failed OA exchange connection: Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_OPEN Aug 14 07:58:17 JHHCF5 info eca[16121]: 0162000b:6: [Common] 10.1.12.9:63069 New connection on virtual /Common/exchange_int_iapp.app/exchange_int_iapp_combined_https Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_REQUEST Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) 6 headers received, iov_count: 1 Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: :method: RPC_OUT_DATA Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: :uri: /rpc/rpcproxy.dll?VMCAS01.jhhc.com:6002 Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: Host: email.jhhc.com Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: Cookie: OutlookSession="{89DE0638-A161-4C6E-8E7E-AB53F2AAB02D} Outlook=14.0.7108.5000 OS=6.1.7601" Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Header: :custommeta: select_ntlm:/Common/exchange_int_iapp.app/exch_ntlm_combined_https Aug 14 07:58:17 JHHCF5 debug eca[16121]: 0162000c:7: [Common] 10.1.12.9:63069 (0x5bf48ee0) Received metadata (select_ntlm:/Common/exchange_int_iapp.app/exch_ntlm_combined_https) Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: eca_module_ntlm.cpp:770 ntlm_cfg_process_op_find_set_cfg, err = ECA_ERR_NOT_FOUND Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: eca_module_ntlm.cpp:728 ntlm_cfg_handler, err = ECA_ERR_NOT_FOUND Aug 14 07:58:17 JHHCF5 err eca[16121]: 0162000e:3: Invalid argument (/Common/exchange_int_iapp.app/exch_ntlm_combined_https) Aug 14 07:58:17 JHHCF5 err eca[16121]: 0162000e:3: Invalid metadata (select_ntlm:/Common/exchange_int_iapp.app/exch_ntlm_combined_https) Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_REQUEST_DONE Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_ABORT_PROXY Aug 14 07:58:17 JHHCF5 debug eca[16121]: 01620012:7: (0x5bf48ee0) TMEVT_CLOSE Aug 14 07:58:17 JHHCF5 info eca[16121]: 0162000b:6: [Common] 10.1.12.9:63069 Connection is closed At this point I went ahead and changed the NTLM auth settings to basic for the iApp just so I can remove the NTLM machine account. When attempting to recreate, here are the debug APM logs upon creation attempt (I think these are the relevant logs). Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/Sys.cpp func: "queryIpv6Preference()" line: 121 Msg: Retrieving Sys::Dns Info Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 436 Msg: Querying for config: Class: 4826 Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4827 = /Common/dns Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4829 = include Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4830 = dns Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/MCPInterface.cpp func: "send()" line: 445 Msg: Querying for config: with constraint 4828 = Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 01490175:5: Prefer resolving hostname with IPv4 address Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: Using the following server settings: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: domain name = 'JHHC.COM' Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: domain controller = 'JHHCDC01.JHHC.COM' Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: admin name = 'gricketts1' Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: admin password = ****** Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: PADATA encryption type = Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: none Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: Other settings specified for the test: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: test type: AD Domain Join Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: userName: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: concurrency: 1 Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: CCache file root: /var/run/krb5cc Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: output file: Aug 14 08:12:31 JHHCF5 notice adutil[30741]: 0149019f:5: urlDecoded: 0 Aug 14 08:12:31 JHHCF5 err adutil[30741]: 01490200:3: thread 0 started Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 01490000:7: Utils/Sys.cpp func: "getIpv6Preference()" line: 46 Msg: Prefer IPv6: false Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 0149019d:7: Using '127.0.0.1' as a Name Server Aug 14 08:12:31 JHHCF5 debug adutil[30741]: 0149019d:7: verifyKrb5Cache(): Credentials cache file '/var/run/krb5cc/ADTest/krb5cc_0_apmd' not found, func=krb5_cc_set_flag(0), ticket cache FILE:/var/run/krb5cc/ADTest/krb5cc_0_apmd Aug 14 08:12:49 JHHCF5 err adutil[30741]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'JHHC.COM' Aug 14 08:12:49 JHHCF5 debug adutil[30741]: 0149019d:7: do_connect: error = -1 Aug 14 08:12:49 JHHCF5 err adutil[30741]: 01490200:3: ERROR: domain join for 'JHHC-F5' failed: (0) Aug 14 08:12:49 JHHCF5 debug adutil[30741]: 0149019d:7: (): (0) Aug 14 08:12:49 JHHCF5 debug adutil[30741]: 0149019d:7: Aug 14 08:12:49 JHHCF5 notice adutil[30741]: 0149019f:5: thrd_id[0]: succ_cnt=0, fail_cnt=1 All I get from the logs is it failed bc it could not connect to the DC. Same error I get in the GUI. Not sure why, the domain controllers are available and actively processing AAA requests for other services. I am using the same DA account I used previously to create the last machine account. Any help is appreciated, I am almost to the point where I should just bounce the box.

I have tried both, by leaving the FQDN blank and specifying a specific domain controller fqdn, fails both ways. Here are the logs for enumerating KDC's via DNS, which it is able to do successfully. Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 01490175:5: Prefer resolving hostname with IPv4 address Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: Using the following server settings: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: domain name = 'JHHC.COM' Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: domain controller = '' Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: admin name = 'gricketts1' Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: admin password = ****** Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: PADATA encryption type = Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: none Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: Other settings specified for the test: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: test type: AD Domain Join Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: userName: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: concurrency: 1 Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: CCache file root: /var/run/krb5cc Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: output file: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: urlDecoded: 0 Aug 14 08:49:10 JHHCF5 err adutil[32504]: 01490200:3: thread 0 started Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: verifyKrb5Cache(): Credentials cache file '/var/run/krb5cc/ADTest/krb5cc_0_apmd' not found, func=krb5_cc_set_flag(0), ticket cache FILE:/var/run/krb5cc/ADTest/krb5cc_0_apmd Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Domain Controller is not specified for domain 'JHHC.COM', KDCs will be discovered using DNS Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'vmdc03.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc02.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc01.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 01490000:7: Utils/Sys.cpp func: "getIpv6Preference()" line: 46 Msg: Prefer IPv6: false Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Using '127.0.0.1' as a Name Server Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: authenticate with 'gricketts1' successfully Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Domain Controller is not specified for domain 'JHHC.COM', KDCs will be discovered using DNS Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'vmdc03.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc01.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc02.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 01490000:7: Utils/Sys.cpp func: "getIpv6Preference()" line: 46 Msg: Prefer IPv6: false Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Using '127.0.0.1' as a Name Server Aug 14 08:49:20 JHHCF5 err adutil[32504]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'JHHC.COM' Aug 14 08:49:20 JHHCF5 debug adutil[32504]: 0149019d:7: do_connect: error = -1 Aug 14 08:49:20 JHHCF5 err adutil[32504]: 01490200:3: ERROR: domain join for 'JHHC-BIGIP' failed: Can't contact LDAP server (-1) Aug 14 08:49:20 JHHCF5 debug adutil[32504]: 0149019d:7: ldap_sasl_interactive_bind_s(): Can't contact LDAP server (-1) Aug 14 08:49:20 JHHCF5 debug adutil[32504]: 0149019d:7: Aug 14 08:49:20 JHHCF5 notice adutil[32504]: 0149019f:5: thrd_id[0]: succ_cnt=0, fail_cnt=1 I can dig all the DC's from the BigIP as well, no issues with DNS doesn;t seem like. And a packet capture shows a successful LDAP bind response from the DC

OK really weird. I just kept retrying joining the BigIP to the domain and it finally worked. No idea how that happened. This happened to me prior when configuring the machine account originally. I tried a few times and it failed. Opened a case, tried again and it finally worked. All the same config. OK, now to try to reconfigure iApps to use new NTLM config. Keep you posted.

OK. With the machine account recreated and NTLM auth config redone, I am able to successfully authenticate to both internal and external iApps. I guess I can only chalk this up to something was busted with the initial machine account perhaps? I am not sure. I did notice in the ECA debug logs, I am actually sending NTLMv2 auth requests. In the appendix for the echange 2013 iApp there is a manual process for replacing the NTLM profile with an NTLMv2 profile. How is this working if NTLMv2 is being sent but the iApp is configured to accept NTLM? Is it necessary for me to follow the NTLMv2 config procedure at this time?

I have tried both, by leaving the FQDN blank and specifying a specific domain controller fqdn, fails both ways. Here are the logs for enumerating KDC's via DNS, which it is able to do successfully. Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 01490175:5: Prefer resolving hostname with IPv4 address Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: Using the following server settings: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: domain name = 'JHHC.COM' Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: domain controller = '' Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: admin name = 'gricketts1' Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: admin password = ****** Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: PADATA encryption type = Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: none Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: Other settings specified for the test: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: test type: AD Domain Join Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: userName: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: concurrency: 1 Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: CCache file root: /var/run/krb5cc Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: output file: Aug 14 08:49:10 JHHCF5 notice adutil[32504]: 0149019f:5: urlDecoded: 0 Aug 14 08:49:10 JHHCF5 err adutil[32504]: 01490200:3: thread 0 started Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: verifyKrb5Cache(): Credentials cache file '/var/run/krb5cc/ADTest/krb5cc_0_apmd' not found, func=krb5_cc_set_flag(0), ticket cache FILE:/var/run/krb5cc/ADTest/krb5cc_0_apmd Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Domain Controller is not specified for domain 'JHHC.COM', KDCs will be discovered using DNS Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'vmdc03.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc02.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc01.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 01490000:7: Utils/Sys.cpp func: "getIpv6Preference()" line: 46 Msg: Prefer IPv6: false Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Using '127.0.0.1' as a Name Server Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: authenticate with 'gricketts1' successfully Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Domain Controller is not specified for domain 'JHHC.COM', KDCs will be discovered using DNS Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'vmdc03.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc01.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Adding 'jhhcdc02.jhhc.com' to KDC list Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 01490000:7: Utils/Sys.cpp func: "getIpv6Preference()" line: 46 Msg: Prefer IPv6: false Aug 14 08:49:10 JHHCF5 debug adutil[32504]: 0149019d:7: Using '127.0.0.1' as a Name Server Aug 14 08:49:20 JHHCF5 err adutil[32504]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'JHHC.COM' Aug 14 08:49:20 JHHCF5 debug adutil[32504]: 0149019d:7: do_connect: error = -1 Aug 14 08:49:20 JHHCF5 err adutil[32504]: 01490200:3: ERROR: domain join for 'JHHC-BIGIP' failed: Can't contact LDAP server (-1) Aug 14 08:49:20 JHHCF5 debug adutil[32504]: 0149019d:7: ldap_sasl_interactive_bind_s(): Can't contact LDAP server (-1) Aug 14 08:49:20 JHHCF5 debug adutil[32504]: 0149019d:7: Aug 14 08:49:20 JHHCF5 notice adutil[32504]: 0149019f:5: thrd_id[0]: succ_cnt=0, fail_cnt=1 I can dig all the DC's from the BigIP as well, no issues with DNS doesn;t seem like. And a packet capture shows a successful LDAP bind response from the DC

OK really weird. I just kept retrying joining the BigIP to the domain and it finally worked. No idea how that happened. This happened to me prior when configuring the machine account originally. I tried a few times and it failed. Opened a case, tried again and it finally worked. All the same config. OK, now to try to reconfigure iApps to use new NTLM config. Keep you posted.

OK. With the machine account recreated and NTLM auth config redone, I am able to successfully authenticate to both internal and external iApps. I guess I can only chalk this up to something was busted with the initial machine account perhaps? I am not sure. I did notice in the ECA debug logs, I am actually sending NTLMv2 auth requests. In the appendix for the echange 2013 iApp there is a manual process for replacing the NTLM profile with an NTLMv2 profile. How is this working if NTLMv2 is being sent but the iApp is configured to accept NTLM? Is it necessary for me to follow the NTLMv2 config procedure at this time?

OK well we're back to the drawing board. All of a sudden EVERYTHING has stopped working. The APM login page will not even display for OWA. I have a case open with support, but I am tempted to completely delete and rebuild. I did this before, sometimes it works, other times it does not.