Forum Discussion

Dev_56330's avatar
Dev_56330
Icon for Cirrus rankCirrus
Oct 22, 2015

Kerberos Authentication with different UPN than Kerberos Realm

Using the Exchange 2013 iApp to allow the big ip (v12.0) load balance a pool of Client Access Servers with APM providing authentication, users are receiving Matching Credentials Cannot be Found after...
BIG-IP Access Policy Manager (APM)
kerberos
microsoft
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 23, 2015

Add an iRule event agent to the visual policy right after the OCSP auth. Give it an ID of "CERTPROC". Add an iRule to fetch the certificate SAN UPN:

when ACCESS_POLICY_AGENT_EVENT {
    switch [ACCESS::policy agent_id] {
        "CERTPROC" {
            if { [ACCESS::session data get session.ssl.cert.x509extension] contains "othername:UPN<" } {
                ACCESS::session data set session.logon.last.username [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"]
            }
        }       
    }
}

Add an LDAP Query agent after the iRule event and use the following LDAP filter:

userPrincipalName = %{session.logon.last.username}

If the LDAP query succeeds, you should have a session.ldap.last.attr.sAMAccountName session variable with the user's SAM name.