Bug ID 466579: AD doesn't log any message if DNS is unreachable and auth failed

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Jun 11, 2014
Severity: 3-Major

Symptoms

If AAA AD Server is configured with domain name only (KDC field is empty), then AD module tries to get KDCs using DNS SRV request. If the DNS server is unreachable then authentication failed, but does not log anything about the nature of the error: Oct 10 13:59:08 bigip8910mgmt debug apmd[1164]: 0149017c:7: 1948e023: AD module: Domain Controller is not specified for domain 'ENIGMA.LAB.FP.F5NET.COM', KDCs will be discovered using DNS Oct 10 13:59:18 bigip8910mgmt err apmd[1164]: 01490107:3: 1948e023: AD module: authentication with 'aa' failed: (1633716962) Oct 10 13:59:18 bigip8910mgmt debug apmd[1164]: 01490111:7: 1948e023: AD module: (): (1633716962)

Impact

It is not obvious where the misconfiguration or error is.

Conditions

DNS server is unavailable, AAA AD Server is configured with domain name only; (KDC is empty).

Workaround

None

Fix Information

The AD module now provides an error message to help administrator to investigate the issue: Oct 10 14:07:55 bigip8910mgmt debug apmd[23429]: 0149017c:7: 70a5a23e: AD module: Domain Controller is not specified for domain 'ENIGMA.LAB.FP.F5NET.COM', KDCs will be discovered using DNS Oct 10 14:08:05 bigip8910mgmt err apmd[23429]: 01490107:3: 70a5a23e: AD module: authentication with 'aa' failed: Failed to resolve KDCs by domain name (-1) Oct 10 14:08:05 bigip8910mgmt debug apmd[23429]: 01490111:7: 70a5a23e: AD module: locateKDC(): Failed to resolve KDCs by domain name (-1)

Behavior Change