Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)

In previous articles, we have discussed the use of F5 BIG-IP as a SSL VPN and then followed up by adding endpoint security to the same Access Profile configuration we used for VPN access. I now wante...
Published Jul 10, 2018
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
security
Joe_Lupo_283884's avatar
Joe_Lupo_283884
Icon for Nimbostratus rankNimbostratus
Feb 27, 2019

Steve,

 

So, after some digging, I have found a few things:

 

1) As you stated, using AD Query or LDAP Query should work either way, BUT since my Kerberos SSO config is set to "session.ad.last.attr.sAMAccountName" I must use the "sAMAccountName form Active Directory" in the SSO Credential Mapping

 

2) I still do not see an update to the AD "lastLogon" attribute though. It gets updated when I unlock my workstation with my Token card and PIN, but not when I access a VS with associated Access Policy.

 

I am at a loss how to get this AD attribute to update, but I will keep trying.

 

On a side note, after researching the "lastLogon" and "lastLogonTimestamp" it appears as though the former is specific to each DC. Meaning that whichever DC processed the logon the "lastLogon" attribute is then updated on that DC ONLY (not replicated). If the DC that processed the logon has a "lastLogonTimestamp" that is greater than 14 days of the newly processed "lastLogon" then the "lastLogonTimestamp" of that DC will get updated with the "lastLogon" date/time, and then that "lastLogonTimestamp" get replicated across all the DC's.

 

I'm not sure where I go from here, but if you have any insight let me know. Thanks again!