Forum Discussion

chungyu_16122's avatar
chungyu_16122
Icon for Altostratus rankAltostratus
Jun 11, 2015

Using APM to authenticate to Windows AD with a UPN that is different then our domain name

Hi all

 

I am trying to use F5 APM to login into a webtop with Windows AD credentials but when using my UPN = myuser@univeristy.com it does not work because our real AD domain is school.univerity.com

 

Without APM, normally a user with UPN student@university.com logs in and AD does a look up in the GAL and finds out who you are and where you belong. IE student@university.com is also student@mail.univeristy.com

 

So when using my APM webtop, if I login as myuser@school.university.com - all works fine. But if I try myuser@school.com - it fails.

 

I have read a SOL12252: Microsoft Active Directory authentication using UPN may fail if the user's UPN suffix does not match the domain suffix

 

This sounds like the right way to go, but I can not seem to get it work.

 

Has anyone had to deal with a similar situation?

 

Thanks

 

Chung

 

BIG-IP Access Policy Manager (APM)
deployment
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jun 22, 2015

    One solution is to do:

     

    • AD query to find the user based on UPN and retrieve Samacountname
    • Variable assign to assign ad.last.attr.Samacountname to session.logon.last.username
    • AD Auth
  • Mark_Cloutier's avatar
    Mark_Cloutier
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2015

    In order to support Autodiscovery and Skype for Business authentication to Exchange, I am also trying to to exactly what Stanilas mentions above query AD based on UPN and retrieve the SAMacccountname so I can use SAM account name against LDAP, but then use the UPN in the post to Exchange CAS servers. Is that process in a post here somewhere already?

     

    • chungyu_16122's avatar
      chungyu_16122
      Icon for Altostratus rankAltostratus
      Jul 27, 2015
      Thanks all I have solved the issue by using a LDAP Authentication and a search filter query = (UserPrincipalName=%{session.logon.last.username}) Regards chung
  • Mark_Cloutier_2's avatar
    Mark_Cloutier_2
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2015

    In order to support Autodiscovery and Skype for Business authentication to Exchange, I am also trying to to exactly what Stanilas mentions above query AD based on UPN and retrieve the SAMacccountname so I can use SAM account name against LDAP, but then use the UPN in the post to Exchange CAS servers. Is that process in a post here somewhere already?

     

    • chungyu_16122's avatar
      chungyu_16122
      Icon for Altostratus rankAltostratus
      Jul 27, 2015
      Thanks all I have solved the issue by using a LDAP Authentication and a search filter query = (UserPrincipalName=%{session.logon.last.username}) Regards chung
  • Vikash_Ramanla1's avatar
    Vikash_Ramanla1
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2017

    Hi I have the same issue and found this article and have it working. I have one question however.

     

    When the AD Query for UPN fails to find an entry I would like to get back to the logon page. However the fallback from AD Query cannot be wired back to logon page.

     

    What are our options?