Adding variable to generic Message Box
I'm having issues with my AD Query. The AD Query agent expression is as such: expr { [mcget {session.ad.last.attr.memberOf}] contains "Test.40.Employee" && [mcget {session.ad.last.authresult}] == 1 } The AD Query isn't sending the user agents down the expected branch, so I'm trying to carry the defined variable into a generic message box to troubleshoot. In the generic message box, I added the below value: AD Query variable %{session.ad.last.attr.memberOf} However when I go through the VPE, the value is not displayed in the message box. Any help on where I'm going wrong?Create local user account while using remote auth
I want to create a local user account on our BIG-IPs to allow our security team to audit. After I create a local user account, assign partitions/role, etc, I cannot log in with that local account. When I browse to System > Logs > Audit, I see the BIG-IP attempting to validate the credentials against our AD server. How can I configure both remote and local authentication?APM AD Pool member selected
Is there a way to determine in APM logs which AD server was selected during the authentication agent? I'm having users reporting authentication errors on their phones, where their username and password fields are already filled, have between 3-10 attempts before authentication is successful.
APM Active Directory Trusted Domains - how to use?
Hi, I checked all docs and community but can't figure out how this feature works. Let's assume we have two AD AAA servers defined: DomainA - no trust with DomainB DomainB - no trust with DomainA Then there is Active Directory Trusted Domains object created containing both AD AAA servers, with DomainA set as root - named TrustedAB. In Access Policy AD Auth object is configured like that: Server: None Trusted Domains: TrustedAB Cross Domain Support: Enabled In Logon Page object Split domain from full Username is set to Yes. I expected that based on value in session.logon.last.domain AD Auth will be smart enough to choose correct AD AAA srv from included in Trusted Domains. But it's not the case. AD Auth is sending KRBR request to AD AAA Srv defined as Root in selected Trusted Domains object. Realm in request is set to DomainA When targeted server replies with wrong realm error process is finished and authentication fails. When there is two way forest trust between DomainA and DomainB then target AD srv replies with Kerberos referral placing DomainB in crealm parameter. Then AD Auth performs new KRBR request to Domain B AD AAA Srv and authentication works. So how exactly Active Directory Trusted Domains works and when it makes sense to use it? For sure not when all Domains have two way (or even one way) tust configured - in this case setting one AD AAA Srv end enabling Cross Domain Support is enough. Piotr
F5 APM Login Page Reload Attempts Username Evaluation
I am working on a tricky F5 Issue. While trying to port a custom HTML page from Microsoft TMG to F5 BIG-IP APM, I have come across a behavior on the F5 that I would like to mitigate. This particular custom HTML page requires that there is a link that inserts a cookie and reloads the page. This function happens in JavaScript. When the page reloads the F5 logs and entry for Username ''. After 3 reloads APM reaches Max Failed Login Attempts and displays "Your session could not be established." The first question I have is why is authentication attempted before the Form Submit button is pressed? JavaScript, Cookie, Page Reload: When the link is pressed a cookie is inserted and the page a location.reload() is invoked. Cookie Evaluation: The presence of the cookie loads an alternate CSS file, and the location.reload() allows the page to load with the new CSS file. This allows for a different logo and color scheme to be applied. When the link is pressed a 2nd time, the cookie is removed, the page is reloaded, and the default CSS file is applied. Is it possible to prevent the F5 from evaluating form data when the page is reloaded? Would it be possible to redirect the user back to the login page and reset the number of login attempts?APM AD Auth and two AD forests with two way forest trust
Hi, I am not AD or APM expert so probably it's some obvious thing I am missing :-( Setup Two forests domainA and domainB with two way forest trust set. Based on all suggested trust is working OK APM policy with: AD AAA srv set for domainA Logon Page object with Username split enabled AD Auth with Cross Domain and AD AAA Srv mentioned before configured Goal is to use same AAA srv to authenticate users from domainA and domainB against one AAA srv. But it is not working... If user@domainA is entered on logon form everything is OK If user@domainB is entered on logon form authentication fails Looking at traffic between APM and AAA srv I can se that for user@domainB in krb traffic APM sends: cname (or something like taht): user@domainB realm: domainA and AD reply is error So is that APM config error or I am missing something on AD side? Piotr