Need help configuring Active Directory for User Authentication WITH SSL
On our F5 BIG-IP LTM (running 10.2.1) We are able to get Active Directory user authentication without SSL to work, but are having trouble getting it to work correctly with SSL. I have a suspicion that this has to do with the keys. I've entered them and even imported them as trusted device certificates, but I am still unable to get them working correctly. Is there a specific format that they should be in? I've tried PKCS12, PKCS7, and DER. auth ldap system-auth { bind-dn "cn=\"LDAP Account\",ou=\"Service ACC\",dc=my,dc=lovely,dc=com" bind-pw ******** login-attribute samaccountname port ldaps search-base-dn dc=my,dc=lovely,dc=com servers { MYDC03.my.lovely.com } ssl enabled ssl-ca-cert-file /etc/keys/ca.cer ssl-client-cert /etc/keys/ldaps.crt ssl-client-key /etc/keys/ldaps.key user-template %s@my.lovely.com } *Names, passwords, and domains have been changed for security.
F5 iApp Exchange 2016 AD - Authentication Fail - UPN suffix mismatch
Hi Everybody We are in the process of deploying Exchange 2016 / Outlook 2016 with F5 v11.6.0 (build 4.0.420) and APM. Our reference is the Exchange 2016 deployment guide (https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2016-dg.pdf). We are using the latest iApp . Without APM it seems to be working fine, but as soon as we enable APM we are having athentication problems with Outlook Anywhere. When we start Outlook 2016, it tries to authenticate using UPN firstname.lastname@company.com. The internal domain used however is company.local instead of company.com. So we are running into the problem described here (https://support.f5.com/csp/article/K12252), where UPN suffix does not equal domain suffix. I get the same error "... Please verify Active Directory and DNS configuration...." when doing a manual adauth test via CLI. We cannot seem to get the workaround descibed to work (replace APM AD Auth with LDAP). Does anybody have a reference or can tell me if it is even possible to configure the APM (i.e. modify the iApp) to use LDAP instead of AD Auth with SSO in this scenario? Any advice would be greatly appreciated. Thanks in advance. Ingo
AD attributes in SAML assertion
Configured BIG-IP as an IDP and registered SAML Application as SP. Added an AD Authentication and everything works as expected. But now would like to pass few user attributes in the SAML assertion , such as emailaddress of the user. I understand that just adding the attributes in the local IDP would not help. also i tried to change the Access Profile Could someone list the steps in detail to fetch the attributes from Active Directory and pass the same in SAML assertion.?
APM Auth to Multiple AD
Scenario is that we have different networks which use different Active Directory domains which are in separate forests with no trust between them. I already have a Virtual Server on the APM platform which authenticates users to one of the Active Directories and based on group membership presents different user types with different WebTops containing different applications or Remote Desktops. I now need to build another setup for the second network which authenticates to the second Active Directory and again based on group membership presents different user types different resources. With Public IP addresses limited I would like to use a single Virtual Server/IP on the APM platform. Ideally I'd like to configure the APM rules along the lines of "authenticate to AD1 if that fails attempt authentication to AD2" Any thoughts/ideas?Authenticate with AD on a LTM VIP
Hi - We have a Virtual Server:389 setup with three different AD Windows 2008 R2 Servers in the pool all on port 389. We have another server (not configured on the LTM) to send authentication requests to this VIP:389 to Load Balance between the domain controllers in our pool. The server will respond back to the client if authentication passes (the traffic between the initial client and server does not traverse the LTM). However this setup is not working. Is this possible to do? Is there AD authentication configuration I need to put on the LTM? We just have the LTM license on this BIG-IP, but if we need to purchase the APM license to do this another way, we can think about that. However, this is a internal server and we don't need SSL VPN support. Thanks!
Is it possible to query ad Server to check for user presence?
The way I see how it suppose to be working Logon Page - AD Query to check for user presence - if user present try to authenticate. If the user is not present append domain name and use AD Server with cross domain support I couldn't find any session variable that let me do this One possible solution is to to use AD Query with "expr { [mcget {session.ad.last.queryresult}] == 1 }" if it fails - send over to AD server with cross domain support. I don't think that from design standpoint is the best solution because what if the user typed in wrong password? Any help is appriciated
(APM) I have a need to combine two fields from login page for AD authentication
In AD we have our user accounts in format of username.clientid Our login page contains fields for: username, password and clientid. Username in format of login page entry is just the user's name without the client id attached. Can anyone assist with the process to concatenate the username and clientid in format listed above for AD authentication "username.clientid"? Thanks
