Forum Discussion

Injazat-SOC's avatar
Injazat-SOC
Icon for Nimbostratus rankNimbostratus
Jan 30, 2020

LTM AD login account locked out in first wrong password

We are observing a strange behavior that, when i enter a wrong password in LTM GUI it locks my AD account. However the AD server allows 5 wrong password before it locks the account. In LTM we have 4 AD servers added in authentication as below

 

User directory: Remote-Active-Directory

Host: AD1, AD2, AD3, AD4

 

Below is my wrong password authentication logs from /var/log/secure. Please help me to understand why the AD account locked for 1 wrong password attempt in LTM.

 

Jan 30 11:26:37 F5-DC notice httpd[12027]: pam_ldap(httpd:auth): Authentication failure; user=abcd

Jan 30 11:26:37 F5-DC warning httpd[12027]: pam_unix(httpd:auth): check pass; user unknown

Jan 30 11:26:37 F5-DC notice httpd[12027]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.0.1.36

Jan 30 11:26:39 F5-DC err httpd[12027]: [auth_pam:error] [pid 12027] [client 10.0.1.36:61918] AUTHCACHE PAM: user 'abcd' (fallback: false) - not authenticated: Authentication failure, referer: https://172.17.1.13/tmui/login.jsp

Jan 30 11:26:39 F5-DC info httpd(pam_audit)[12027]: User=abcd tty=(unknown) host=10.0.1.36 failed to login after 1 attempts (start="Thu Jan 30 11:26:36 2020" end="Thu Jan 30 11:26:39 2020").

Jan 30 11:26:39 F5-DC info httpd(pam_audit)[12027]: 01070417:6: AUDIT - user abcd - RAW: httpd(pam_audit): User=abcd tty=(unknown) host=10.0.1.36 failed to login after 1 attempts (start="Thu Jan 30 11:26:36 2020" end="Thu Jan 30 11:26:39 2020").

 

1 Reply

  • F5 LB never locks user access if it has configured with Remote auth(AD). It seems out of 4-AD's one AD server has not configured threshold limit properly. In order to rule-out try to add one by one in auth list.

    Hope it work for you.

    Thanks​