For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alex_1935's avatar
Alex_1935
Icon for Nimbostratus rankNimbostratus
Dec 06, 2012

Manipulating Kerberos failure codes during APM policy

Hi,   It is my first posting on devcentral. I would like to thank everyone for contributing to this wonderful knowledge database.   Currently I am working on a SSO project using APM BIG-IP modu...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 06, 2012
You could probably get away with just reading the session.ad.last.errmsg value.

 

 

Both expired and locked accounts send the message "User account is locked"

 

Bad password sends the message "Invalid user credentials"

 

 

Setting the "Max Logon Attempts Allowed" in the AD auth agent to something lower will let it escape the agent sooner so that you can follow branch rules. For example:

 

 

expr { [mcget {session.ad.last.errmsg}] contains "User account is locked" }

 

expr { [mcget {session.ad.last.errmsg}] contains "Invalid user credentials" }