default session variables and domain splitting

Question

In my environment I have multiple AD forests that I need to authenticate users against for access to either Exchange 2007 or Exchange 2010.  When attempting to login, the user credentials that are being passed aren't working for logon to the domain.&nbsp;
On the logon page I request the following format for imput:&nbsp;
Domain\UserID&nbsp;
I am doing this so that I can then use the following expression to determine the AD resource to authenticate against:&nbsp;
Expression: expr { [mcget {session.logon.last.username}] contains "na.corp"}&nbsp;
The failure comes from the following issue:&nbsp;
'na.corp\userID@NA.CORP'&nbsp;
What I am trying to do is split the input (but retain the session.logon.last.username for SSO) for AD authentication.  Does anyone know the default behavior of split in the APM?  Is there documentation on what it returns and how?&nbsp;
I have started, but I am expecting the following split to generate two "fields."&nbsp;
session.custom.userID = [split [mcget {session.logon.last.username}] "\"]&nbsp;
What I really want is to have the two variables returned to two custom session variables.&nbsp;
I would use the default splitting from the logon page, but I have not been able to find what variable the domain gets stuck into if you do that.&nbsp;
 &nbsp;
Please any help is greatly appreciated.&nbsp;
 &nbsp;
 &nbsp;

peter_baumann_5 · Answer

Hi llewdis,
I dont know if it helps but in a troubleshooting session I just did I figured out the following variables:
session.logon.last.domain = Only the domain name of the login
session.logon.last.logonname = uid@domainname
session.logon.last.username = Only uid

The above is when you select "Split domain from full Username" in the Logon Box.

Hope it helps...

Best regards,
Peter

david_123856 · Answer

Peter's answer is right on the money from what I've seen for the three variables in the split, although sometimes you will get a logonname of domainname\uid - its really just whats typed in the box.
The branch rule expression I use to determine forests is like the below (for one example branch) - where the split option is on in the logon box. The last one searches for the forest DNS suffix and the || give you or options
expr {
    [string tolower [mcget {session.last.logon.domain}]] == "netbios1"
    ||
    [string tolower [mcget {session.last.logon.domain}]] == "netbios2"
    ||
    [string first -nocase ".forestdns.com" [mcget {session.last.logon.domain}]] &gt;= 0
}

Forum Discussion

default session variables and domain splitting

2 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

rSeries Configuration Backup

Questions on Migrating configs from iSeries to RSeries F5s

AST Configuration help

reading Client SSL Profile details via Ansible

Raise your hand if you'll be at AppWorld 2026

Related Content

SSL VPN Split Tunneling and Office 365

GSLB Split DNS by iRule

F5 XC Distributed Cloud DNS GSLB implementing Split-DNS

APM variable assign examples

Getting Started with iRules: Variables

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS