For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kunjan's avatar
kunjan
Icon for Nimbostratus rankNimbostratus
May 28, 2014

The Kerberos TGT cache life time by default in APM is 600 minutes. The lowest it can go is 10 minutes. During this period if the account is locked, it can't be detected by SSO.

But after that for the new request, Kerberos(S4U2Self) will fail if the account is locked and server will throw 401. So if we capture this 401 and restart the APM session, I guess we can go to the AD query to check for the account status.

Try if this helps; tune "ticket-lifetime 10" in the Kerberos SSO and apply the iRule.

when HTTP_RESPONSE {
   if { [HTTP::status] == 401 } {
      ACCESS::session remove
      HTTP::respond 302 Location "/" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"
   }
}