Forum Discussion

drugovm_149811's avatar
drugovm_149811
Icon for Nimbostratus rankNimbostratus
Apr 09, 2014

Is it possible to query ad Server to check for user presence?

The way I see how it suppose to be working

 

Logon Page - AD Query to check for user presence - if user present try to authenticate. If the user is not present append domain name and use AD Server with cross domain support

 

I couldn't find any session variable that let me do this

 

One possible solution is to to use AD Query with "expr { [mcget {session.ad.last.queryresult}] == 1 }" if it fails - send over to AD server with cross domain support. I don't think that from design standpoint is the best solution because what if the user typed in wrong password?

 

Any help is appriciated

 

ad authentication
BIG-IP Access Policy Manager (APM)
cross-domain request
security
  • dickeypjeep_116's avatar
    dickeypjeep_116
    Icon for Cirrus rankCirrus
    Apr 09, 2014

    An AD query won't fail unless the user isn't present in the database- it doesn't utilize the user's full credentials, just their username. (it utilizes the credentials of the AAA admin server configuration). I think you're on the right track.

     

    The exceptional case will be if the user types in their username wrong, but that is hard to completely avoid.

     

  • drugovm_149811's avatar
    drugovm_149811
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2014

    I tried using AD query and it was failing if I was supplying wrong password. It was passing with the right password.

     

    • dickeypjeep_116's avatar
      dickeypjeep_116
      Icon for Cirrus rankCirrus
      Apr 09, 2014
      Hmm... I've used that before and not even collected a password- just used the logon box object and removed password so I collected the username only. Maybe try blanking the password variable? Move it to a temporary variable, run the AD query, then move it back? I guess a quick test would be to attempt the AD query with just the username, don't put a password in at all.
    • dickeypjeep_116's avatar
      dickeypjeep_116
      Icon for Cirrus rankCirrus
      Apr 09, 2014
      One other thing, you need to have the admin credentials in the AAA server configuration. Without that, it will definitely fail without using the user's logon credentials. I'll bet that's why its not working for you- AD will not allow a query unless there are valid credentials- you can use admin credentials by populating the field in the AAA server config.
  • drugovm_149811's avatar
    drugovm_149811
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2014

    Issue solved. My issue was that I was using condition expr { [mcget {session.ad.last.queryresult}] == 0 } instead of 1

    Final Policy

    Login Page - AD Query - if found - Ad Auth - SSO - allow - if not found - append domain name - use ad with cross domain support - append domain name for sso user name - sso - allow

                      Thank you