For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Steph_69890's avatar
Steph_69890
Icon for Nimbostratus rankNimbostratus
Dec 19, 2016

RDG with BigIP APM and AD account password change

I implemented successfully Remote Desktop Gateway with APM. But I'm facing a problem with the NTLM authentification, when a user account need to change his password (password expired). Is there anyone who has a solution for this problem? Maybe with an iRule?

 

Log from my APM when this problem append: Dec 15 11:07:02 mybigip warning eca[4887]: 01620002:4: [Common] 10.10.10.10:54646 Authentication with configuration (/Common/NTLM-Auth-Conf-acces-ts-ced-RDG) result: testusr@testdomain (MYPC): Fail (STATUS_PASSWORD_MUST_CHANGE)

 

I'm able to trap the return code from an iRule with "When ECA_REQUEST_ALLOWED {}" but I don't know what to do after.

 

I would like to let the user access the backend RDP server when the user need to change his password (ECA::status = STATUS_PASSWORD_MUST_CHANGE) but block it when a wrong password is used. Any idea?

 

application delivery
BIG-IP Access Policy Manager (APM)
iRules

2 Replies

  • TBG_112407's avatar
    TBG_112407
    Icon for Nimbostratus rankNimbostratus
    Feb 02, 2017

    Did you find any solution for this problem?

     

    We also use the Remote Desktop Gateway on the APM but havent been able to find a way to let users change their expired passwords.

     

  • Steph_69890's avatar
    Steph_69890
    Icon for Nimbostratus rankNimbostratus
    Feb 02, 2017

    Presently not supported by tmos release 11.*. The way I implemented the RDG with APM, without webtop, I suppose that will never work even with version 13... 8(

     

    Here's the answer I received from F5 Support.

     

    Hello Stephane, Unfortunately, this still will not work. Today, native RDP only works via NTLM auth, which does not support password reset. Furthermore, Big-IP cannot redirect the connection if a PW reset is required, because the source is the RDP client, not a browser.

     

    In v13, we have engineered a solution that generates a signed RDP token, indistinguishable from those utilized in a pure MS environment, on the APM Webtop. With this solution, your users would be able to login to the APM webtop from a browser via AD Auth (during which an AD password reset could be executed), then click a webtop link to initiate the native RDP connection to the back-end server.

     

    That all being the case, the below Technet article may provide an alternate method for accomplishing your goal. This method is enabled on the server, and appears to use a local password reset aspx script to work around the shortcoming. Unfortunately, that means it would need to be enabled on a server-by-server basis.

     

    Windows Server 2012 RDS: Enabling the RD WebAccess Expired password reset option http://social.technet.microsoft.com/wiki/contents/articles/10755.windows-server-2012-rds-enabling-the-rd-webaccess-expired-password-reset-option.aspx

     

    Please let me know if you have any additional questions.