Forum Discussion
R__Hickman
Nimbostratus
NimbostratusNTLM Machine Account Issues - APM
Good afternoon - I am hoping someone can point me in the right direction. I'm trying to use the iApp to deploy RDP Gateway using APM (using this template - ). Part of the config is to create a new NTLM Machine account. I had no issues creating the account - and the iApp deployment went swimmingly well. I also verified that the machine account showed up in AD as a computer account. However, I am seeing these errors in the APM logs:
May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> nlclnt[2a8e2c794]: is now initializing.
May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil), my_name = "F5LAB", dest_host = "domaincontroller.domain.local", port = 445, service = "IPC$", service_type = "IPC", user = "F5LAB$", domain = "DOMAIN")
May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil)) = 0xC000006D
May 15 17:40:32 f5lab err nlad[6379]: 01620000:3: <0x56900b70> nlclnt[2a8e2c794] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 10.11.12.13
I also cannot renew the NTLM account password from the GUI as I get this error:
Could not connect to domain domain controller of realm 'domain.local'
machine account update for 'f5lab' failed: Preauthentication failed, principal name: f5lab@domain.local. Invalid user credentials. (-1765328360)
I'm running on 12.1.3.4 and have tried the following:
- Recreated the NTLM account, multiple times. I know I have permissions as the account does show up in AD, and I do have domain admin level permissions
- Restarted the eca service (bigstart restart eca)
- Restarted the nlad service (bigstart restart nlad)
- Restarted the F5 appliance itself.
- Verified that the DNS settings are configured properly. The F5 is able to resolve the domain controller IP from the alias.
- No firewall exists between this F5 and the domain controller.
Has anyone seen this and if so - can anyone point me in the right direction? I thought I'd try here before opening a support ticket with F5.
youssef1Cumulonimbus
Hi,
Did you check that Fw don't blocked your flow between F5 and your AD? Please check in the tracker if there are blockages and in this case port 445.
Just be carefful where the flow comes from (self or management)...
Keep me update
Regards.
R__HickmanI resolved this. Basically you have to stub out a computer account in AD first before creating the NTLM object from the F5 GUI. That way when you do your "Join" the computer account already exists and all is good.
