Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.3.0, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: Jun 11, 2014 Severity: 3-Major
If AAA AD Server is configured with domain name only (KDC field is empty), then AD module tries to get KDCs using DNS SRV request. If the DNS server is unreachable then authentication failed, but does not log anything about the nature of the error: Oct 10 13:59:08 bigip8910mgmt debug apmd[1164]: 0149017c:7: 1948e023: AD module: Domain Controller is not specified for domain 'ENIGMA.LAB.FP.F5NET.COM', KDCs will be discovered using DNS Oct 10 13:59:18 bigip8910mgmt err apmd[1164]: 01490107:3: 1948e023: AD module: authentication with 'aa' failed: (1633716962) Oct 10 13:59:18 bigip8910mgmt debug apmd[1164]: 01490111:7: 1948e023: AD module: (): (1633716962)
It is not obvious where the misconfiguration or error is.
DNS server is unavailable, AAA AD Server is configured with domain name only; (KDC is empty).
None
The AD module now provides an error message to help administrator to investigate the issue: Oct 10 14:07:55 bigip8910mgmt debug apmd[23429]: 0149017c:7: 70a5a23e: AD module: Domain Controller is not specified for domain 'ENIGMA.LAB.FP.F5NET.COM', KDCs will be discovered using DNS Oct 10 14:08:05 bigip8910mgmt err apmd[23429]: 01490107:3: 70a5a23e: AD module: authentication with 'aa' failed: Failed to resolve KDCs by domain name (-1) Oct 10 14:08:05 bigip8910mgmt debug apmd[23429]: 01490111:7: 70a5a23e: AD module: locateKDC(): Failed to resolve KDCs by domain name (-1)