APM: Issue with RSA Authentication
I have a question on the published APM documentation for RSA. We follow the standard setup described below for integrating RSA and AD authentication. https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-2/6.html
The APM schema works well except for the situation when the user makes an AD password error.
If the AD block allows for more than 1 password attempt and user enters the AD password incorrectly the very first time, the user will not able to log on until the maximum of password attempts is reached even with the good RSA passcode and good AD password.
The logon page contains 3 fields: username, AD password and RSA passcode.
The very first time the "Variable Assign" block ensures that the AD password field content is correctly assigned to session.logon.last.password.
However, once the user entered an incorrect AD password, this assignment block does not work anymore. The user is presented with the same logon page with the same 3 fields.
The second time the AD password must be entered in the field of RSA passcode in order to get successful AD authentication. The original AD field which is intended for AD password can be left completely empty.
Has anyone encountered the same issue?
A temporary workaround applied is to lower AD password count to 1, which effectively ends the authentication flow without looping within the AD block.