Forum Discussion

Zuke_254875's avatar
Zuke_254875
Icon for Altostratus rankAltostratus
Aug 24, 2018

APM AD Pool member selected

Is there a way to determine in APM logs which AD server was selected during the authentication agent? I'm having users reporting authentication errors on their phones, where their username and password fields are already filled, have between 3-10 attempts before authentication is successful.

 

  • Have you set Access to debug logging? You should see the server information and failed AD auth attempts.

     

  • Zuke's avatar
    Zuke
    Icon for Cirrostratus rankCirrostratus

    Kevin, is this the log setting to which you are referring?

     

     

  • Yep, that's the setting. Is your AD pool (attached to your AD AAA agent object) configured with Group Priority activation and what health monitor are you using on that pool?

     

    Cheers,

     

    Kees

     

  • Zuke's avatar
    Zuke
    Icon for Cirrostratus rankCirrostratus

    Thanks Kevin.

     

    Kees, I forgot that creating APM pools defaults to priority group activation. Viewing the pool statistics, only one of the servers is receiving traffic which debunks my original theory that one of the two servers is having a problem.

     

    Now that I know only one of the two AD servers is getting traffic, I need to figure out why some users are getting denied multiple times before authenticating.

     

    The APM log says "general GSSAPI error."

     

  • The great thing about AD traffic is that it's typically unencrypted. If you fire up a tcpdump capture and look at it in Wireshark, you'll likely see where APM and the AD server are talking, and what's happening in that transaction.

    tcpdump -vvv -Xs0 -lnni [AD-side VLAN] -w [file.pcap]