For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mr_evil_116524's avatar
mr_evil_116524
Icon for Nimbostratus rankNimbostratus
Dec 05, 2013

Two-Factor Authentication how to AD attribute

Hello,

 

I am already using APM two factor with google auth, however I am using data group and I was thinking of moving the keys to AD. Question is how do I add a new AD attribute?

 

I have opened MMC see added the AD Schema (had to register a DLL and has to give schema admin right), I can create new attribute (option is now visible) but what do I select?

 

Can someone who has setup AD attribute for Two-Factor please give me some indication how this can be done.

 

Thanks

 

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 10, 2013

    Okay, now I understand what you're trying to do. The article talks about using an AD, LDAP, or data group to store the user's "key" (defaults to data group). So given that the data group entry is essentially a string value, you'll want to either create a new schema object or use an existing user object. So to create a new schema object:

    1. Register the schema manager DLL in Windows

      regsvr32 schmmgmt.dll

    2. Open up the schema manager MMC and navigate to the Attributes node.

    3. Right click the node and select "Create Attribute"

    4. Give it a name. Example: "OTP Key"

    5. Enter an OID value into the "Unique X500 Object ID" field. You can go to the following website to generate a valid OID:

      http://www.vishnivetsky.ru/notices%20articles%20reviews/on-line%20oid%20generator%20for%20active%20directory%20schema.html

    6. Enter a description

    7. Select Unicode String from the Syntax drop down. Leave everything else alone and click the Okay button.

    8. Now expand the Classes node and go all the way down and select the user class.

    9. Right click the user class and select properties.

    10. Go to the attributes tab, click the Add button and then select your new oTPKey class.

    11. Click Okay a few times to close the various boxes and then refresh the Classes node to make sure your oTPKey attribute is in the user class.

    12. Re-open the oTPKey class and make sure the following options are checked:

      Attribute is active
Index this attribute (as required)
Ambiguous Name Resolution (ANR) (as required)
Replicate this attribute to the Global Catalog (as required)

    13. Right click on the top "Active Directory Schema" node and select "Reload the Schema"

    14. From there you'll be able to open up ADSIEDIT.msc and add oTPKey attributes for your users (or programmatically).