Forum Discussion

TJ_Vreugdenhil's avatar
TJ_Vreugdenhil
Icon for Cirrus rankCirrus
May 02, 2014

Authenticate with AD on a LTM VIP

Hi - We have a Virtual Server:389 setup with three different AD Windows 2008 R2 Servers in the pool all on port 389.

 

We have another server (not configured on the LTM) to send authentication requests to this VIP:389 to Load Balance between the domain controllers in our pool. The server will respond back to the client if authentication passes (the traffic between the initial client and server does not traverse the LTM). However this setup is not working. Is this possible to do? Is there AD authentication configuration I need to put on the LTM?

 

We just have the LTM license on this BIG-IP, but if we need to purchase the APM license to do this another way, we can think about that. However, this is a internal server and we don't need SSL VPN support.

 

Thanks!

 

ad authentication
APM
application delivery
deployment
design
LTM
security

6 Replies

Sort By
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 02, 2014

    Client =====> Server ====> LTM ===> DC Pool

    Is your set up as above?

    How do you force client to go to Server for AD auth? Similarly Server to LTM?

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus
      May 05, 2014
      yes kunjan - that is our setup. The user types in their AD creds the web portal page and then the Server checks with the VIP DC pool.
  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    May 02, 2014

    Client =====> Server ====> LTM ===> DC Pool

    Is your set up as above?

    How do you force client to go to Server for AD auth? Similarly Server to LTM?

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus
      May 05, 2014
      yes kunjan - that is our setup. The user types in their AD creds the web portal page and then the Server checks with the VIP DC pool.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 02, 2014

    I would also look at the traffic between the LTM and DC. If it's pure LDAP, then you should be able to insert a WireShark capture right there and see what the LDAP looks like. If you don't see any traffic at all, or it fails to connect before any LDAP data passes, then you may have a layer 4 issue somewhere. If, however, you see LDAP data going back and forth, then you should also see any failures coming from the DC.

     

  • TJ_Vreugdenhil's avatar
    TJ_Vreugdenhil
    Icon for Cirrus rankCirrus
    May 05, 2014

    **Fix below**

    There were a couple of issues that I found with what they setup.

    1) A VMware host had a conflicted ARP entry with our AD LTM VIP, even though the VMware host was down. So we just changed the LTM VIP to a different IP.

    2) They had an xff HTTP profile attached to the AD VIP. This simply broke the connection.

    With the above corrected, everything looks good. No need for a forwarding VIP in this case. I mainly wanted to see if there was anything special you had to configure on the LTM to pass AD, but you guys answered that for me.

    Thank you!