Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Nov 27, 2023

F5 APM AD login

Hi Team,

As part of APM AD integration - i am able to login with SAM Account user to logon page. But with email address it is failing. How to allow email id user login?

 

  • This "what username do I use" question can be hard for end users. A solution that handles EITHER email or samaccountname can help reduce help desk questions. Luckily APM is flexible enough to handle this kind of programmability.

    I'll assume you use the "AD Auth" agent, which utilizes Kerberos authentication against ADS, which uses the user's SAMACCOUNTNAME@DOMAIN as the client principal. When you use the flow:
    Logon Page --> AD Auth, 

    the Logon Page collects the username/pw from the user and validates it against the configured AD server.

    We can use a different flow that collects the username/pw, looks up the username in AD DS to find the samaccountname, assigns that value to the username, and then does the AD Auth validation step. Let's see how this would work:

    1- Auth should be in a macro. Let's add a pre-configured "send-OTP-to-AD-email" macro that's close to what we want. This one has AD Auth and AD Query already.

    2- Delete the OTP agents.

    3- Change the AD Query to have a Search Filter that searches "mail" or "samaccountname" for the value that the user put into the "logon name" box:

    You may want a different search filter for your directory, but this one worked for me. Note that the "%{session.logon.last.logonname} is replaced with the logon page value when the user logs in:

    (&(objectCategory=Person)(|(sAMAccountName=%{session.logon.last.logonname})(mail=%{session.logon.last.logonname})))

    4- Next you want a "variable assign" to assign the samaccountname to the username variable. This is case sensitive:

    5- Save the policy and attach it to a virtual and test it out.

    If you have any problems, the relevant logs you want are like this:

    Nov 27 12:04:54 west info apmd[19210]: 01490006:6: /Common/test:Common:f4dbb744: Following rule 'fallback' from item 'Logon Page' to item 'AD Query'

    Nov 27 12:04:54 west debug apmd[19210]: 01490064:7: /Common/test:Common:f4dbb744: AD module: query with '(&(objectCategory=Person)(|(sAMAccountName=taccount)(mail=taccount)))' successfully

    Nov 27 12:04:54 west info apmd[19210]: 01490006:6: /Common/test:Common:f4dbb744: Following rule 'Successful' from item 'AD Query' to item 'Variable Assign'

    Nov 27 12:04:54 west debug apmd[19210]: 01490266:7: /Common/test:Common:f4dbb744: modules/VariableAssignment/VariableAssignmentAgent.cpp: 'VariableAssignmentAgentexecuteInstance()': 1361: ConfigName: session.logon.last.username, ConfigVal taccount

    Nov 27 12:04:54 west info apmd[19210]: 01490006:6: /Common/test:Common:f4dbb744: Following rule 'fallback' from item 'Variable Assign' to item 'AD Auth'

     

    NOTE: The one weird thing about how this works is that if the user puts in their email and the wrong password, the "retry your login" will show the user's samaccountname instead of the user's email. Solving this issue is more difficult because of the architecture of password-retries in APM. But hopefully this approach will make it easier for your users anyway.

     

     

    • Preet_pk's avatar
      Preet_pk
      Icon for Cirrus rankCirrus

      Hi Lucas_Thompson 

      Thanks for above configuration details shared, email login is working now. I am now adding radius auth after AD Auth for MFA authentication which is failing with email id (Access-Reject). Please let me know the modification to be made for Raduis authentcation for email id.