For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eburton_25849's avatar
eburton_25849
Icon for Nimbostratus rankNimbostratus
Nov 30, 2015

Changing AD UPN

We are using APM for Edge Client Access and SharePoint and other resources. We are considering changing the UPN in Active Directory, we are using multiple domains in our authentication scheme. Is thi...
BIG-IP
BIG-IP Access Policy Manager (APM)
security
MichaelatF5's avatar
MichaelatF5
Icon for Employee rankEmployee
Dec 04, 2015

Do your domains have a domain trust? I will assume yes, because if you didn't the UserDomain could not access the ResourceDomain.

 

So, If your domains are trusted, and authoritative for unique domain suffixes, then you can just make sure that DNS is properly configured in all domains, and allow LDAP forwarding to do its job.

 

Are you using Kerberos? You can enable DNS lookups for REALMS in the krb5.conf file on the BIG-IP to help. You can also hard code the KDC for the REALMS you know you need to support. You can also use an irule to determine which REALM users are in and modify as needed. This will make sure that when the request comes in to the KDC, it knows which KDC to send the request to for that specific REALM.

 

For example:

 

switch [ACCESS::policy agent_id] {
        "DOMAIN1" {
            ACCESS::session data set session.logon.last.domain "F5LAB.LOCAL"
        }
        "DOMAIN2" {
            ACCESS::session data set session.logon.last.domain "MSDOMAIN.LOCAL"
        }
}