Forum Discussion
kunjan
May 28, 2014Nimbostratus
The Kerberos TGT cache life time by default in APM is 600 minutes. The lowest it can go is 10 minutes. During this period if the account is locked, it can't be detected by SSO.
But after that for the new request, Kerberos(S4U2Self) will fail if the account is locked and server will throw 401. So if we capture this 401 and restart the APM session, I guess we can go to the AD query to check for the account status.Try if this helps; tune "ticket-lifetime 10" in the Kerberos SSO and apply the iRule.
when HTTP_RESPONSE {
if { [HTTP::status] == 401 } {
ACCESS::session remove
HTTP::respond 302 Location "/" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"
}
}