Forum Discussion
NimbostratusAD QUERY AFTER KERBEROS AUTHENTICATION
Can I use AD Query after kerberos authetication?
I tried putting AD query after kerbero auth and variable assignment. AD Query search filter %{session.sso.token.last.username} and I found following:
bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.logon.last.domain' set to 'DOMAIN1.DOMAIN.COM' bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.sso.token.last.username' set to 'user1' bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'userPrincipalName' set to 'user1' bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_message_box_ag', return value 0 bigip info apmd[28998]: 01490006:6: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'Message Box' to item 'AD Query' bigip debug apmd[28998]: 01490011:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: ENTER Function executeInstance bigip debug apmd[28998]: 01490231:7: /frontend/f5-kerberos:frontend:8e2e231e: AD Agent: Configured to use /frontend/AAA-Servers as a server bigip debug apmd[28998]: 01490023:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: ENTER Function queryActiveDirectory bigip err apmd[28998]: 01490107:3: /frontend/f5-kerberos:frontend:8e2e231e: AD module: query with 'user1' failed: empty password detected (-1) bigip debug apmd[28998]: 01490111:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: authenticate(): empty password detected (-1) bigip debug apmd[28998]: 01490024:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: LEAVE Function queryActiveDirectory bigip info apmd[28998]: 01490019:6: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: Query: query with 'user1' failed bigip info apmd[28998]: 01490162:6: /frontend/f5-kerberos:frontend:8e2e231e: Username used for authentication contains domain information. Please enable 'Split domain from full Username' option in Logon Page if domain info should be separated from username for authentication to work properly. bigip debug apmd[28998]: 01490012:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: LEAVE Function executeInstance bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_active_directory_query_ag', return value 0 bigip notice apmd[28998]: 01490005:5: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'AD Query' to ending 'Deny' bigip notice apmd[28998]: 01490102:5: /frontend/f5-kerberos:frontend:8e2e231e: Access policy result: Logon_Deny bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_end_deny_ag', return value 0
1 Reply
zbirminghamI had a similar issue where my domain name was getting appended to the username twice in the AD query. IE: the username was being sent across in the AD Query as: username@DOMAIN.com@domain.com.
My fix was to add a "Variable Assign" between the Kerberos and AD Query steps within my Policy.
I set the Custom Variable field to:
session.logon.last.usernameThen set the Custom Expression field to:
expr { [lindex [split [mcget {session.logon.last.username}] "@"] 0] }
