Forum Discussion

siru_129409's avatar
siru_129409
Icon for Nimbostratus rankNimbostratus
Feb 03, 2016

F5 APM AD Query is failing for users having long username

Hi

 

I have a running setup of LTM+APM+ASM in order load balance and secure the various application including Microsoft Exchange 2013.

 

I have configured Two factor authentication for all the application access with Active Directory followed by OTP (SMS Gateway is using to deliver OTP)

 

Now I found a strange issue on F5 that users having a long username (let say more than 20 Character) failing to do AD Query.

 

in APM Logs it shows AD Auth is successful where as AD Query is failing as shown in below.

 

Feb 2 18:19:47 bigip notice apd[6329]: 01490010:5: 6f817c66: Username 'abc12345678901234567890'

 

Feb 2 18:19:47 bigip info apd[6329]: 01490004:6: 6f817c66: Executed agent '/Common/AMM_AD_1_act_logon_page_ag', return value 0 Feb 2 18:19:47 bigip info apd[6329]: 01490006:6: 6f817c66: Following rule 'fallback' from item 'Logon Page' to item 'AD Auth'

 

Feb 2 18:19:47 bigip info apd[6329]: 01490017:6: 6f817c66: AD agent: Auth (logon attempt:0): authenticate with 'abc12345678901234567890' successful Feb 2 18:19:47 bigip info apd[6329]: 01490004:6: 6f817c66: Executed agent '/Common/AMM_AD_1_act_active_directory_auth_ag', return value 0

 

Feb 2 18:19:47 bigip info apd[6329]: 01490006:6: 6f817c66: Following rule 'Successful' from item 'AD Auth' to item 'AD Query'

 

Feb 2 18:19:48 bigip err apd[6329]: 01490107:3: 6f817c66: AD module: query with 'sAMAccountName=abc12345678901234567890' failed: no matching user found with filter sAMAccountName=abc12345678901234567890 (-1)

 

Feb 2 18:19:48 bigip info apd[6329]: 01490019:6: 6f817c66: AD agent: Query: query with 'sAMAccountName=abc12345678901234567890' failed Feb 2 18:19:48 bigip info apd[6329]: 01490004:6: 6f817c66: Executed agent '/Common/AMM_AD_1_act_active_directory_query_ag', return value 0

 

Feb 2 18:19:48 bigip notice apd[6329]: 01490005:5: 6f817c66: Following rule 'fallback' from item 'AD Query' to ending 'Deny'

 

What I noticed that Users having a username with with up-to 20 charterer is able to login and access the application without any problem and if the username is more than 20 Character its failing.

 

We have a multiple users having a long username, if any one can help to resolve/Advice on this that would be highly appreciated.

 

  • Just a shot in the dark here, but have you tried using

    LDAP Auth
    and
    LDAP Query
    instead of
    AD Auth
    and
    AD Query
    ? It doesn't always make a difference, but I have seen some issues where using LDAP instead of AD solves the problem.