For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mike_aws_119486's avatar
mike_aws_119486
Icon for Nimbostratus rankNimbostratus
Nov 14, 2013

APM + Active Directory Trusts

We have two domains as follows: domain.com (DOMAIN) child.domain.com (CHILD) CHILD is a child domain of the parent domain in the same forest and thus there is a two way trust between them. On o...
BIG-IP Access Policy Manager (APM)
microsoft
security
mike_aws_119486's avatar
mike_aws_119486
Icon for Nimbostratus rankNimbostratus
Nov 14, 2013

have tried split domain from username and cross domain support and various combinations thereof. Ended up with all kinds of strange combinations in the logs like:

 

I think the results were something like the following.....

 

Split Domain From UserName Enabled / Cross Domain Support Disabled:

 

2013-11-14 19:47:53 Username 'child\user2' Common 2013-11-14 19:47:53 AD module: authentication with '' failed: Client 'user2@domain.com' not found in Kerberos database, principal name: user2 2013-11-14 19:47:53 Following rule 'fallback' from item 'AD Auth' to ending 'Deny'

 

2013-11-14 19:48:13 Username 'user2@child.domain.com' Common 2013-11-14 19:48:13 AD module: authentication with '' failed: Client 'user2@domain.com' not found in Kerberos database, principal name: user2 2013-11-14 19:48:13 Following rule 'fallback' from item 'AD Auth' to ending 'Deny'

 

Split Domain From UserName Enabled / Cross Domain Support Enabled:

 

2013-11-14 20:03:25 Username 'child\user2' Common 2013-11-14 20:03:56 Username 'user2' Common 2013-11-14 20:03:56 Retry Username 'user2' Common 2013-11-14 20:09:15 \N: Session deleted due to user inactivity or errors.

 

2013-11-14 20:04:34 Username 'child\user2' Common 2013-11-14 20:04:49 \N: Session deleted due to admin initiated termination. Common 2013-11-14 20:04:49 Following rule 'fallback' from item 'AD Auth' to ending 'Deny'

 

2013-11-14 20:31:12 Username 'user2@child.domain.com' Common 2013-11-14 20:32:42 Username 'user2@child.domain.com' Common 2013-11-14 20:32:42 Retry Username 'user2' Common 2013-11-14 20:38:05 \N: Session deleted due to user inactivity or errors.

 

Split Domain From UserName Disabled / Cross Domain Support Enabled:

 

2013-11-14 20:34:36 Username 'child\user2' Common 2013-11-14 20:34:36 AD module: authentication with 'child\user2@domain.com' failed: Client 'child\user2\@domain.com@domain.com' not found in Kerberos database, principal name: child\user2@domain.com@domain.com. Please verify Active Directory and DNS configuration. (-1765328378) Common

 

2013-11-14 20:34:50 Username 'user2@child.domain.com' Common 2013-11-14 20:34:50 Retry Username 'user2@child.domain.com' Common 2013-11-14 20:34:51 AD module: authentication with 'user2\@child.domain.com@domain.com' failed: Client 'user2\@child.airmis.airwave

 

Basically I just want the user to be able to stipulate the domain and for APM to forward that to the DC.

 

Seems that in the APM AD config because you have entered the FQFN of 'domain.com' it doesn't understand there may be child domains/trusts.....