APM Kerberos Authentication - Logon agent instance is not available to be scheduled

Question

Hi,&nbsp;
I have an APM policy that receive user credentials and authenticate them with Kerberos authentication.&nbsp;
After receiving the payload the APM says (on var/log/apm) "AD module: Logon agent instance is not available to be scheduled" and then follow "Auth Failed" and "Deny" Ending.
I have tested the Active Directory AAA server (Fetch Groups) and it appears to be OK.
The max logon attempts set to 5. &nbsp;
Any suggestions? &nbsp;

kevin_stewart · Answer

Can you elaborate on your configuration? That error is usually a benign warning message and happens when some part of an AD auth/query fails.&nbsp;

moshiko_kochva · Answer

Update: after adding a Debug logging policy on the relevant APM policy I found that the password for the Active Directory user account that I have tried to authenticate has been expired. 
It's to bad that the APM doesn't log that in the default logging policy. &nbsp;
AD agent: Auth (logon attempt:0): Domain password has been expired and must be changed for 'User@Domain.com'&nbsp;
After resetting the user password the authentication succeeded. &nbsp;
Thanks Kevin. &nbsp;

moshiko_kochva · Answer

Update: after adding a Debug logging policy on the relevant APM policy I found that the password for the Active Directory user account that I have tried to authenticate has been expired. 
It's to bad that the APM doesn't log that in the default logging policy. &nbsp;
AD agent: Auth (logon attempt:0): Domain password has been expired and must be changed for 'User@Domain.com'&nbsp;
After resetting the user password the authentication succeeded. &nbsp;
Thanks Kevin. &nbsp;

Forum Discussion

APM Kerberos Authentication - Logon agent instance is not available to be scheduled

3 Replies

Recent Discussions

BIG-IP DNS iRule issue with static variable

Open Redirection Mitigation

how can I find the software version is 32 bit or 64 bit from LTM 15.1.10.4

(How) can I get two client certificates in one APM session?

Using okta as SSO to login F5 GUI

Related Content

Khoros article scheduling test

Get started with F5 Distributed Cloud WAAP Scheduled Reports

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Getting Started with BIG-IP Next: Configuring Instance High Availability

Silverline DDoS capabilities are now available in F5 Distributed Cloud