Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Cody_Green
F5 Employee
F5 Employee

From time to time I receive requests on how to make APM authenticate against multiple domains. These organizations require unique domains for various user roles such as contractor versus employee or student versus faculty. There are several ways to achieve this depending upon the required user interaction - manual versus automated.

In this series we will work through a few ways APM can help your achieve this requirement:

  • Domain drop down menu on the logon page
  • Home realm discovery / where are you from
  • Domain lookup
  • End-point inspection (certificate / registry settings)

Domain Drop Down Menu

For part 1 we’ll take a look at placing a domain drop down list on the APM logon page. This topic has previously been covered by Jason Rahm on DevCentral but required advanced APM knowledge and heavy modifications of underlying code. In BIG-IP TMOS version 11.5 additional login page input types were added: select and checkbox.

0151T000003d6BPQAY.png

 

 

 

 

 

 

 

 

 

 

 

 

With the addition of these new input types F5 has significantly reduced the complexity of implementing this solution.

In this example I assume you already have an APM Access Policy created and we will modify it to add the domain drop down feature.

Logon Page Modification

  1. Open the APM Visual Policy Editor for your access policy
  2. Make the following modifications:
    Typeselect
    Post Variable Namedomain
    Session Variable Namedomain
    ValuesIn the pop-up window add values for Contractor and Employee (see image below)
    Logon Page Input Field #3Domain
  3. Click Save

0151T000003d6BQQAY.png

 

0151T000003d6BRQAY.png

 

 

 

 

 

 

 

 

 

 

 

 

  

 

 

 

 

 

 

Domain Decision Box

Now that we’ve customized the Logon Page we need to add logic to our Visual Policy Editor to choose the correct domain based upon which domain was selected.

  1. Add an empty action to the VPE after the Logon Page

0151T000003d6BSQAY.png

  1. Name the empty action Check Domain
  2. Click the Branch Rules tab
  3. Click the Add Branch Rule button
  4. Name the new rule Contractor
  5. Click the change link next to Expression: Empty

0151T000003d6BTQAY.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Click the Advanced tab
  2. Enter the following TCL expression:

expr { [mcget {session.logon.last.domain} ] eq “Contractor” } ​​

0151T000003d6BUQAY.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Click Finished
  2. Click Save

Final VPE Configuration

With the logon Page customized and the Check Domain decision box complete now you can add multiple AD Authentication (or any other authentication types) to your Visual Policy Editor. The image blow provides an example of a completed VPE.

0151T000003d6BVQAY.png

End Results

The final result will provide a Domain drop down box on the APM logon page allowing users to select which domain they belong to. Pretty easy!

In the next post we’ll add additional logic to select the correct domain without requiring the drop down box

0151T000003d6BWQAY.png

Comments
Alton_104690
Nimbostratus
Nimbostratus
I want to add that there is correct for TCL syntax. For most Domain they use ALL capital in the NETBIOS name. Therefore the expr { [mcget {session.last.domain}] eq "Contractor"} will not work instead ignore case but making it not case sensitive. with this syntax: expr { [string tolower [mcget {session.logon.last.domain}]] eq "contractor"}
whswhswhs124_98
Nimbostratus
Nimbostratus
'
Luis_C__Wiedema
Nimbostratus
Nimbostratus
This is a great article but is there anywhere I can reference for doing this in 11.4? 🙂
Nelgin_Nepolea1
Nimbostratus
Nimbostratus
the expr { [mcget {session.last.domain}] eq "Contractor"} didn't work. So I used expr { [string tolower [mcget {session.logon.last.domain}]] contains "contractor"}, then it is starts working. Thanks for your document. it is helpfull
kenny_50210
Nimbostratus
Nimbostratus
this worked for me as well. thanks! expr { [string tolower [mcget {session.logon.last.domain}]] contains "contractor"}
xmatt_99538
Nimbostratus
Nimbostratus
I've had a pretty good search but can't find "part 2" of this - or any other parts actually. I'm interested in the following: Home realm discovery / where are you from Domain lookup End-point inspection (certificate / registry settings). Thanks.
AP_129594
Nimbostratus
Nimbostratus
Excellent article. I run into an issue when a user select the wrong domain the first time after submit login, the user will receive an error when select the correct domain the second time. I will investigated more tomorrow morning but have anybody run into this issue?
woytaz
Altostratus
Altostratus
@AP It works like you wrote because by default in AD Auth "Max Logon Attempts Allowed" is set to 3. Change it to 1 and after choosing wrong domain session will be removed from APM and you will receive Error with link to New session. I couldn't find better solution.
rob_carr
Cirrostratus
Cirrostratus

I'd really love to see the second article in this sequence.

 

col_h_175104
Nimbostratus
Nimbostratus

You can find the 2nd part here - https://f5guru.com/2014/11/17/apm-cookbook-multiple-domain-authentication-part-2/ I'm still having issues with this setup, syntax appears to be OK but sessions fail and report shows this logic just skips past the two domains I have setup to failback and deny.

 

Luis_Araujo_560
Nimbostratus
Nimbostratus

Excelent article!!!

 

I used it to do O365 and multiple domains integrations. It´s working very well.

 

Well done!!!

 

steven_monroe_2
Nimbostratus
Nimbostratus

@col_h did you ever find a solution to the logic skipping past the domains? I'm having the same thing. It is being evaluated but the domain is just being skipped past.

 

Version history
Last update:
‎20-Jun-2014 08:07
Updated by:
Contributors