For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
Feb 03, 2014

Which variables to set in APM to authenticate against Active directory

For a VPE that I have I let the user enter their email address instead of the samaccountname or UPN. I do a look against AD to retrieve both attributes now I need to authenticate the user so I need to set one of the session variables. Currently I'm setting the following variable session.logon.last.username = expr { [mcget {session.ad.last.attr.sAMAccountName}] } but this seems like it is not doing the trick. I know that domain might be a factor in this but this is one of the confusing about authenticating in F5 which variables are used especially when you have split domain turned on and the optional of cross domain in the AD auth component.

 

Last time I did this I did it by trail and error and had a matrix Split domain | Cross domain session.logon.last.username

 

Any help would appreciated

 

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 03, 2014

    Are you by chance querying AD to find the SAM or UPN based on the mail attribute? If so, then you probably shouldn't enable split domain in the logon form.

     

    1. Present user with logon form and accept email address and password
    2. Query AD with mail=%{session.logon.last.username}
    3. Variable (re)assign session.logon.last.username with session.ad.last.attr.sAMAccountName
    4. Pass to AD auth
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 05, 2014

    The expr command will work here, but technically you should probably be using return.

    return [mcget {session.ad.last.attr.sAMAccountName}]