Forum Discussion
Preet_pk
Cirrus
CirrusF5 APM AD login
Hi Team,
As part of APM AD integration - i am able to login with SAM Account user to logon page. But with email address it is failing. How to allow email id user login?
- Lucas_Thompson
Employee
This "what username do I use" question can be hard for end users. A solution that handles EITHER email or samaccountname can help reduce help desk questions. Luckily APM is flexible enough to handle this kind of programmability.
I'll assume you use the "AD Auth" agent, which utilizes Kerberos authentication against ADS, which uses the user's SAMACCOUNTNAME@DOMAIN as the client principal. When you use the flow:
Logon Page --> AD Auth,the Logon Page collects the username/pw from the user and validates it against the configured AD server.
We can use a different flow that collects the username/pw, looks up the username in AD DS to find the samaccountname, assigns that value to the username, and then does the AD Auth validation step. Let's see how this would work:
1- Auth should be in a macro. Let's add a pre-configured "send-OTP-to-AD-email" macro that's close to what we want. This one has AD Auth and AD Query already.
2- Delete the OTP agents.
3- Change the AD Query to have a Search Filter that searches "mail" or "samaccountname" for the value that the user put into the "logon name" box:
You may want a different search filter for your directory, but this one worked for me. Note that the "%{session.logon.last.logonname} is replaced with the logon page value when the user logs in:
(&(objectCategory=Person)(|(sAMAccountName=%{session.logon.last.logonname})(mail=%{session.logon.last.logonname})))
4- Next you want a "variable assign" to assign the samaccountname to the username variable. This is case sensitive:
5- Save the policy and attach it to a virtual and test it out.
If you have any problems, the relevant logs you want are like this:
Nov 27 12:04:54 west info apmd[19210]: 01490006:6: /Common/test:Common:f4dbb744: Following rule 'fallback' from item 'Logon Page' to item 'AD Query'
Nov 27 12:04:54 west debug apmd[19210]: 01490064:7: /Common/test:Common:f4dbb744: AD module: query with '(&(objectCategory=Person)(|(sAMAccountName=taccount)(mail=taccount)))' successfully
Nov 27 12:04:54 west info apmd[19210]: 01490006:6: /Common/test:Common:f4dbb744: Following rule 'Successful' from item 'AD Query' to item 'Variable Assign'
Nov 27 12:04:54 west debug apmd[19210]: 01490266:7: /Common/test:Common:f4dbb744: modules/VariableAssignment/VariableAssignmentAgent.cpp: 'VariableAssignmentAgentexecuteInstance()': 1361: ConfigName: session.logon.last.username, ConfigVal taccount
Nov 27 12:04:54 west info apmd[19210]: 01490006:6: /Common/test:Common:f4dbb744: Following rule 'fallback' from item 'Variable Assign' to item 'AD Auth'
NOTE: The one weird thing about how this works is that if the user puts in their email and the wrong password, the "retry your login" will show the user's samaccountname instead of the user's email. Solving this issue is more difficult because of the architecture of password-retries in APM. But hopefully this approach will make it easier for your users anyway.
Preet_pkThanks for above configuration details shared, email login is working now. I am now adding radius auth after AD Auth for MFA authentication which is failing with email id (Access-Reject). Please let me know the modification to be made for Raduis authentcation for email id.
- Lucas_Thompson
That question is significantly more complicated, because it involves figuring out whatever specific attribute-ID/value pairs work with your specific RADIUS server. Luckily the RADIUS protocol can be viewed easily with wireshark. This article (and others that discuss RADIUS and APM) should help:
You'll also need to make sure you have your RADIUS server admin to help with the shared-secret and the allowed-client list on the server.
