Multiple Domain Support not working on APM

Nimbostratus

May 22, 2015

Hi Mike,

With debug set on APM here are the outputs from cross domain failing on webmail1 but working on webmail2 (the reverse). I couldn't see anything that explains why the realm is unknown on webmail1 connections.

1) Connection to webmail1.domain.com. using domain-b account you can see cross domain support is not working

    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 01490023:7: c5b29dcf: AD module: ENTER Function authenticateUser
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017c:7: c5b29dcf: AD module: Domain Controller is not specified for domain 'DOMAIN-B.INTERNAL', KDCs will be discovered using DNS
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc1.domain-b.internal' to KDC list
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc2.domain-b.internal' to KDC list
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 0149017d:7: c5b29dcf: AD module: Adding 'dc3.domain-b.internal' to KDC list
    May 22 10:45:46 LB-APMDEV01 debug apd[32536]: 01490000:7: Sys.cpp func: "getIpv6Preference()" line: 50 Msg: Prefer IPv6: false
    May 22 10:46:04 LB-APMDEV01 debug apd[32536]: 0149017b:7: c5b29dcf: AD module: User 'tstusr1@DOMAIN-B' belongs to domain 'DOMAIN-B.INTERNAL'
    May 22 10:46:22 LB-APMDEV01 err apd[32536]: 01490107:3: c5b29dcf: AD module: authentication with 'tstusr1@DOMAIN-B' failed: Realm not local to KDC, principal name: tstusr1@DOMAIN-B@DOMAIN-A.COM. Realm not found. Please verify Domain Name configured.  (-1765328316)
    May 22 10:46:22 LB-APMDEV01 debug apd[32536]: 01490111:7: c5b29dcf: AD module: krb5_get_init_creds_password(): Realm not local to KDC, principal name: tstusr1@DOMAIN-B@DOMAIN-A.COM. Realm not found. Please verify Domain Name configured. (-1765328316)
    May 22 10:46:22 LB-APMDEV01 debug apd[32536]: 01490024:7: c5b29dcf: AD module: LEAVE Function authenticateUser

2) Connection to webmail2.domain.com. using domain-a account you can see cross domain support is working.

    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017c:7: dcee4e04: AD module: Domain Controller is not specified for domain 'DOMAIN-A.COM', KDCs will be discovered using DNS
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017d:7: dcee4e04: AD module: Adding 'dc1.domain-a.com' to KDC list
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017d:7: dcee4e04: AD module: Adding 'dc2.domain-a.com' to KDC list
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 0149017d:7: dcee4e04: AD module: Adding 'dc3.domain-a.com' to KDC list
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 01490000:7: Sys.cpp func: "getIpv6Preference()" line: 50 Msg: Prefer IPv6: false
    May 22 10:51:49 LB-APMDEV01 debug apd[32536]: 01490024:7: dcee4e04: AD module: LEAVE Function authenticateUser
    May 22 10:51:49 LB-APMDEV01 info apd[32536]: 01490017:6: dcee4e04: AD agent: Auth (logon attempt:0): authenticate with 'tstusr2' successful

Thanks,

David

Forum Discussion

Multiple Domain Support not working on APM

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Unblock Request WAF

F5OS login with admin/root failed via console

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Related Content

Using n8n To Orchestrate Multiple Agents

Support and Help for DevCentral and Offline Contact

APM Configuration to Support Duo MFA using iRule

Securing Applications using mTLS Supported by F5 Distributed Cloud

Remove iRule From Multiple Virtual Servers (Fork /w multiple partition support)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS