Forum Discussion
Alex_1935
Nimbostratus
NimbostratusManipulating Kerberos failure codes during APM policy
Hi,
It is my first posting on devcentral. I would like to thank everyone for contributing to this wonderful knowledge database.
Currently I am working on a SSO project using APM BIG-IP module. I have a problem to manipulate kerberos errors codes during AD Auth event. For example if a user account is expired Kerberos returns an error code 23. I would like to find a way reading this error code and then perform an action, like redirecting user to a registration form for reactivating his accound.
Is this possible? Please let me know for any hint that will help to implement this requirement.
Thank you in advance for your help.
Best Regards,
Alexander Emmanuel
2 Replies
- Kevin_Stewart
Employee
You could probably get away with just reading the session.ad.last.errmsg value.
Both expired and locked accounts send the message "User account is locked"
Bad password sends the message "Invalid user credentials"
Setting the "Max Logon Attempts Allowed" in the AD auth agent to something lower will let it escape the agent sooner so that you can follow branch rules. For example:
expr { [mcget {session.ad.last.errmsg}] contains "User account is locked" }
expr { [mcget {session.ad.last.errmsg}] contains "Invalid user credentials" } 
Alex_1935Thank you Kevin for your reply.
It worked. The problem was with "Max Logon Attempts Allowed" setting. I thought that agent always check error messages and is able to escape and follow branch rules if an error message is matched, before reaching maximum logon attempts.
