getting errors while using "on demand certificate authentication with ad query"

Question

Hi ,&nbsp;
Am using on demand certificate authentication with AD query... but after succeesfull authentication with certificate am getting error at AD query... I used two different AD for certificate and AD query ..I donno whether its correct or not... please give me suggestions whether we have to use same AD for both cerificate and AD query???? &nbsp;

seth_cooper · Answer

Can you please provide the error you are receiving?  You can have a different AD for the certificate and for the query, you just need to make sure that you have the query setup properly.  My guess is you will need to modify the "SearchFilter" in the AD Query to use the correct session variable that has the username provided by the certificate.&nbsp;
-Seth&nbsp;

seth_cooper · Answer

I will respond to the comment in an answer so I can get proper formatting to see the config.  After connecting to my APM with an On-Demand Certificate I looked at a sessiondump for the session and noticed that session.ssl.cert.subject was the variable that has the user details (CN=Administrator,CN=Users,DC=fr,DC=del,DC=corp) listed.  &nbsp;
I then looked in LDAP browser to see exactly which search field that mapped to which in my case was distinguisedName.  &nbsp;
I then updated the AD Query filter to have distinguishedName=%{session.ssl.cert.subject}.&nbsp;
This sends a request to AD that matches the subject on the certificate.  After this is done you should see you have all the AD attributes populated and then can make rules based on that data.&nbsp;
If you still want to query on the sAMAccountName then you will have to do some string manipulation to get just Administrator out of the subject string.&nbsp;
Hope this helps.&nbsp;
-Seth&nbsp;

pradeepkumar020 · Answer

.... please tell me what i have to use in search filter as well as in branch rule..below is my VPE.... evry time am getting the error "" Following rule 'fallback' from item 'AD Query' to ending 'Deny' """

seth_cooper · Answer

I wouldn't worry about the branch rule until you get the AD Query part working correctly.  When you get the attributes returned from AD then you can make a decision on how to configure the rules.

pradeepkumar020 · Answer

what things i have to use in search filter....please suggest me... i tried distinguishedName=%{session.ssl.cert.subject}....but getting error  Following rule 'fallback' from item 'AD Query' to ending 'Deny...

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

getting errors while using "on demand certificate authentication with ad query"

7 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

Automating Certificate Management on F5 BIG-IP

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS