Forum Discussion

ecce's avatar
ecce
Icon for Cirrostratus rankCirrostratus
Sep 08, 2020

NTLM Authentication issue

Hi,

 

I'm setting up APM for authentication for Exchange 2013. In certain scenarios NTLM authentication is used to authenticate the client, and SSO via kerberos at the back end. This all works fine. The issue is that the NTLM machine account password sometime expires and is not automatically renewed, causing NTLM auth to fail. If I manually re-new the password all is fine again. So my main questions is: Does F5 not automatically renew its NTLM machine auth password? The policy in AD for the machine account is all default settings (30 days lifetime I think).

 

Side question: How is NTLM machine auth password synced in a HA environment? At the moment we use manual sync, and based on the timestamps for the NTLM machine auth password a new password is synced to the standby device when you sync configuration. Assuming you have renewed the password and NOT synced the configuration, and then failover to to the other BIGIP, will NTLM auth fail? (Thus requiring automatic sync?)

 

Thanks

  • Hello, no, the APM will not automatically update the password. At this time you have to manually renew it.

    • ecce's avatar
      ecce
      Icon for Cirrostratus rankCirrostratus

      I "solved" this by putting a cronjob for updating the NTLM machine account password on both devices with a few minutes between the jobs running once a month, and turning on automatic sync. But I guess restoring a UCS backup requires a new NTLM machine account to be created since requesting a new password seems to fail unless you already have the current one.

      30 */24 * * * /bin/tmsh modify apm ntlm machine-account <ntlm-account> action change-password

      Not pretty, but I cannot think of another way.