Forum Discussion
Colt_Majkrzak1
Nimbostratus
NimbostratusAPM V11.1HF1 querying Active Directory
Hi Everyone,
I was wondering if anyone could shed some light on an issue I'm having with a LAB setup. I have a pretty average APM policy setup (Built from the wizard), but I'm attempting to check if the users are a member of a AD group, and assigning resources accordingly. So for example, members of Administrators would see the server(s) RDC connections, while everyone else would just be able to access apps/network connect.
To do this, I'm attempting to use 'Active Directory Auth has Passed' AND User is a member of
CN=Administrators, CN=Builtin, DC=mydomain, DC=local, which is set to the top most item in the branch rules. Below that is just a simple 'Active Directory Auth has Passed' condition. On execution of the policy, I will never hit the top most condition, no matter how many ways I've tried it. On further review, I noticed the following in the logging of APM.
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 294 Msg: Rule to evaluate = "expr { [mcget {session.ad.last.authresult}] == 1 && [mcget {session.ad.last.attr.memberOf}] contains "CN=Administrators, CN=Builtin, DC=mydomain, DC=local" }"
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 240 Msg: variable "session.ad.last.attr.memberOf" was not found in the local cache for session "46ca3a01"
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 854 Msg: Converted Var: session.ad.last.attr.memberOf to Session Var tmm.session.46ca3a01.session.ad.last.attr.memberOf
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 262 Msg: variable "session.ad.last.attr.memberOf" for session "46ca3a01" was not found in MEMCACHED
Which tells me the var in memory is never actually populated. I have ran adtest and verified the F5 VM is able to communicate with AD, so I'm a bit at a loss on how I might get this working. If anyone has any tips, it would be a great help.
Thank You!
farache_28983I have tried Cross domain support, but did not look like was doing anything..
I did not tried using the user@child.domain.com
APM is able to reach all domain controllers, but in the configuration I can only select 1 server....unless i am mistaken.
David_StoutI have a working system with both multi-domain AD and LDAP auth. The principle behind both is the same and I had to be a little creative on this. I'll get some screen shots together later.- David_StoutI have a document with the steps in but I can't upload to this thread (editor not working for me). Message me your email address and I'll mail it instead.
- Sergey_KhudyakoHello, not sure if you can answer this question but its regarding user challenge for password change. I have two factor authentication a two separate AD domains for user authentication. All works fine until that time when user password expired and he/she need to change it. Once it expires user no longer able to logon to any resources and no error messages are shown. Its just bring back to logon screen. Do you happen to know where in the core ( or VPE) is the option to prompt user to change password at next logon.
Here is log from APM :
info apd[6179]: 01490076:6: fc7a9c9e: AD agent: Auth (logon attempt:0): Domain password has been expired and must be changed for 'ext-khud'
debug apd[6179]: 01490012:7: fc7a9c9e: AD agent: LEAVE Function executeInstance
info apd[6179]: 01490004:6: fc7a9c9e: Executed agent '/Common/bny-apm-citrix_citrix_apm-v2_2_act_active_directory_auth_ag', return value 4
debug apd[6179]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "_executeOneAgent()" line: 108 Msg: user input is required
debug apd[6179]: 01490011:7: fc7a9c9e: Logon agent: ENTER Function executeInstance
debug apd[6179]: 01490012:7: fc7a9c9e: Logon agent: LEAVE Function executeInstance
info apd[6179]: 01490004:6: fc7a9c9e: Executed agent '/Common/bny-apm-citrix_citrix_apm-v2_2_act_logon_page_ag', return value 3
debug apd[6179]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "_executeOneAgent()" line: 108 Msg: user input is required 
Michael_Koyfma1Cirrus
It should definitely work and user should be prompted to change their password. What exactly are you seeing? Can you try with a plain vanilla non-customized access policy - just logon page, then AD AUth to the domain that has user expired, then allow? That is a good way to find out where and how exactly we should approach troubleshooting this situation further - i.e. if the problem is due to the configuration of the VPE or somewhere below...- Sergey_Khudyako
it see that we have some KERBEROS issue to negotiate encryption standards while using password change challenge, However we don’t have this problem when we just authenticate users without that prompt
Basically it failed on DES from APM to Win2008 server but not sure why its not an issue with just simple authentication though.
- Sergey_Khudyakohere is what we were getting :
AD module: authentication with '' failed: KDC has no support for encryption type, principal name: ext-johndoe@EXTERNAL.CORP.LOCAL. Please verify Active Directory and DNS configuration. (-1765328370) - Michael_Koyfma1Sounds strange - I suggest opening a case with support to investigate this further.