Forum Discussion

rgordon_01's avatar
rgordon_01
Icon for Nimbostratus rankNimbostratus
Oct 28, 2016

Can't change AD password through APM

Access policy uses AD Auth for authentication. AD AAA is using a pool with 2 members. I have priority group enabled. In the apm log it shows AD module: change password for 'username' failed: Password change rejected(4), result_string: (4). I've found an old post regarding this same issue and apparently a pool does not work. You must use Direct. An f5 rep mentioned best practice solution is to use Direct and add the domain name and admin account/pw but no domain controller? Sorry if this seems like a dumb question but how will AD natively load balance with no DC entered and only setup as direct? We really need a pool for redundancy in case one of our DCs is having an issue or down for maintenance. Or is it still a bug and just does not work with a pool? We are on 11.5.1

 

3 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    Try doing a packet capture while you are attempting the password change operation. I seem to recall was a very old defect where password changes failed when UDP 464 was blocked, and 11.5.1 is quite old. So perhaps this is the cause of the problem.

     

    In any case, a packet capture should reveal the problem easily. Filter on port 464 (kpasswd), 88 (krb), and 53 (dns).

     

    • rgordon_01's avatar
      rgordon_01
      Icon for Nimbostratus rankNimbostratus

      My mistake. It actually does work using a pool. The issue was due to a group policy not allowing a password to be changed again within a 24 hour period. Just so happened both the accounts we tried from already had the password changed that day. Sorry for the confusion. thanks!