Forum Discussion

R__Hickman's avatar
R__Hickman
Icon for Nimbostratus rankNimbostratus
May 15, 2018

NTLM Machine Account Issues - APM

Good afternoon - I am hoping someone can point me in the right direction. I'm trying to use the iApp to deploy RDP Gateway using APM (using this template - ). Part of the config is to create a new NTLM Machine account. I had no issues creating the account - and the iApp deployment went swimmingly well. I also verified that the machine account showed up in AD as a computer account. However, I am seeing these errors in the APM logs:

May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> nlclnt[2a8e2c794]: is now initializing.
May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil), my_name = "F5LAB", dest_host = "domaincontroller.domain.local", port = 445, service = "IPC$", service_type = "IPC", user = "F5LAB$", domain = "DOMAIN")
May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil)) = 0xC000006D
May 15 17:40:32 f5lab err nlad[6379]: 01620000:3: <0x56900b70> nlclnt[2a8e2c794] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 10.11.12.13

I also cannot renew the NTLM account password from the GUI as I get this error:

Could not connect to domain domain controller of realm 'domain.local'
machine account update for 'f5lab' failed: Preauthentication failed, principal name: f5lab@domain.local. Invalid user credentials. (-1765328360)

I'm running on 12.1.3.4 and have tried the following:

  • Recreated the NTLM account, multiple times. I know I have permissions as the account does show up in AD, and I do have domain admin level permissions
  • Restarted the eca service (bigstart restart eca)
  • Restarted the nlad service (bigstart restart nlad)
  • Restarted the F5 appliance itself.
  • Verified that the DNS settings are configured properly. The F5 is able to resolve the domain controller IP from the alias.
  • No firewall exists between this F5 and the domain controller.

Has anyone seen this and if so - can anyone point me in the right direction? I thought I'd try here before opening a support ticket with F5.

APM
application delivery
authentication
BIG-IP
ntlm

4 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    May 16, 2018

    Hi,

     

    Did you check that Fw don't blocked your flow between F5 and your AD? Please check in the tracker if there are blockages and in this case port 445.

     

    Just be carefful where the flow comes from (self or management)...

     

    Keep me update

     

    Regards.

     

  • R__Hickman's avatar
    R__Hickman
    Icon for Nimbostratus rankNimbostratus
    May 30, 2018

    I resolved this. Basically you have to stub out a computer account in AD first before creating the NTLM object from the F5 GUI. That way when you do your "Join" the computer account already exists and all is good.

     

    • Nicol4s's avatar
      Nicol4s
      Icon for Nimbostratus rankNimbostratus
      Aug 09, 2019

      I just wanna say that this workaround works great !

       

      Thanks dude.

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Aug 10, 2019

      experienced something similar a while ago, believe it did end up to have to do with allowed ports as youssef is suggesting.

       

      but that workaround is a solution also.