For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JJ_41469's avatar
JJ_41469
Icon for Nimbostratus rankNimbostratus
May 23, 2014

Query AD for Account Lockout status in APM/iRules

I currently have an APM policy that does cert auth then gets a Kerberos ticket on behalf of the user. My management wants to add an account lockout feature, so we could use this same setup to detect when the users domain account is locked out and automatically redirect them to a custom "unlock my account" page.

 

So far I was able to get this working by adding a step in APM to run an AD Query (&(sAMAccountName=xxx)(lockoutTime>=1)) and then set a flag AccountLockout to 1 if that query passes.

 

when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get AccountLockout] equals 1 } { ACCESS::respond 302 Location https://xxx/accountlockout } }

 

The problem with this current solution is two fold:

 

  1. This only gets checked on a new session. How would I go about checking this when resuming an existing session?
  2. It seems to take about 5 minutes for our DCs to propagate this "lockoutTime" attribute, and this is problematic.

So unfortunately the current solution is somewhat unworkable. I had considered of other ways to detect a lockout that would be nearly instant (track 401s triggered by a client over multiple page loads perhaps?), or change the session time to be 5 minutes which would trigger the full APM to be triggered more often but that of course has other problems.

 

Just looking for any ideas/suggestions/etc. Thanks!

 

  • Jeremy
application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
management
security

3 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 24, 2014

    Are you using Kerberos SSO or Kerberos end user logon authentication?

     

  • JJ_41469's avatar
    JJ_41469
    Icon for Nimbostratus rankNimbostratus
    May 27, 2014

    kunjan -

     

    We are using Kerberos Constrained Delegation to have the f5 negotiate a ticket to the backend server on behalf of the client, and simply cert-auth the client to the f5 (no Kerberos client>f5)

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 28, 2014

    The Kerberos TGT cache life time by default in APM is 600 minutes. The lowest it can go is 10 minutes. During this period if the account is locked, it can't be detected by SSO.

    But after that for the new request, Kerberos(S4U2Self) will fail if the account is locked and server will throw 401. So if we capture this 401 and restart the APM session, I guess we can go to the AD query to check for the account status.

    Try if this helps; tune "ticket-lifetime 10" in the Kerberos SSO and apply the iRule.

    when HTTP_RESPONSE {
   if { [HTTP::status] == 401 } {
      ACCESS::session remove
      HTTP::respond 302 Location "/" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"
   }
}