For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mike_aws_119486's avatar
mike_aws_119486
Icon for Nimbostratus rankNimbostratus
Nov 14, 2013

APM + Active Directory Trusts

We have two domains as follows: domain.com (DOMAIN) child.domain.com (CHILD) CHILD is a child domain of the parent domain in the same forest and thus there is a two way trust between them. On o...
BIG-IP Access Policy Manager (APM)
microsoft
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 15, 2013

Try this:

 

  1. Add a session variable for session.logon.last.domain and set it to CHILD.DOMAIN.COM.

     

  2. Enable cross domain support in the AD auth (split domain shouldn't matter for this test).

     

  3. Run a WireShark from the DC and capture the Kerberos and DNS traffic from APM.

     

  4. Test with just the username and password for a CHILD domain member (no domain association).

     

The split domain function is supposed to separate the domain portion of a username (domain\user or user@domain) and set that in the session.logon.last.domain variable. The above bypasses that to test just the Kerberos and DNS transactions. You want to APM contact its local KDC, get a referral for the CHILD domain, and then request a ticket from the CHILD domain.