Forum Discussion
F5 APM Check Domain Membership
Hello Community,
In F5 APM policies, is there any option to check Domain Membership in a computer?
We need to create a policy to restrict only access to computer joined in domain
Thanks for your help.
Christian G.
- KinEmployee
Unfortunately, there is no direct way to do this yet. But there are alternatives. See
https://devcentral.f5.com/s/question/0D71T0000057x17/bigip-apm-edge-client-for-mac
- Dave_WEmployee
Hello, you do this by adding a Registry Check object in the APM VPE and use the following in that check:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"."Domain"="example.F5.com"
- ChristianAltocumulus
Hello, thanks for your reply. I find these information where tells that i can use a Machine Certification Authentication Agent for check domain membership. Someone have used these method?
Machine Certification Authentication Agent
When configured on the domain controller, Windows Machine Certificates will automatically be installed when Windows PC joins the AD domain. This is true for Windows Vista and later and Window 2008 Server and later. The process of installing the machine certificate is manual for earlier versions.
This machine cert can be used in the authentication process, typically as part of a two-factor auth process. There are three branches for the agent.
• Successful: the Machine Certificate was found and the private key was verified.
• Found: the Machine Certificate was found, but the private key was not verified. This is possibly because it could not be read due to misconfiguration or due to Windows permissions. Regardless of reason, this is not a valid security proposition.
• Fallback: as an invalid logon attempt.
- Dave_WEmployee
I am not aware of doing a domain check with a Machine Cert, nor do I see anything in the info posted that indicates you can do this.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com