Bug ID 671892: AD Auth/Query may fail when cross-domain option is requested

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
13.1.0

Opened: Jun 30, 2017
Severity: 3-Major

Symptoms

AD Auth/Query may fail when cross-domain option is enabled, and AD Trusted Domains object is configured for the agent.

Impact

the agent will fail and take fallback branch

Conditions

when all of the following is true: - AD Auth/Query is configured to use AD Trusted Domains - cross-domain option is enabled - user belongs to some trusted domains and AAA AD Server for that domain is a member of AD Trusted Domains - the AAA AD Server is configured with EMPTY KDC

Workaround

for the affected AAA AD Server, please, configure KDC. it can be any acceptable value (IP, FQDN, LTM pool), but not empty

Fix Information

Cross-realm AD Auth/Query now succeeds, even if the AAA AD Server has no KDC configured.

Behavior Change