Forum Discussion

Luca_55898's avatar
Luca_55898
Icon for Nimbostratus rankNimbostratus
Aug 15, 2011

APM - LDAP Authenticaion multiple domains

Hi,

 

We have an LTM using the APM module for our Outlook Web Access service.

 

 

We have users from numerous AD domains who need to authenticate. In the visual policy editior i created an LDAP auth for one domain, then if a user fails that one, it will fallback to another LDAP auth for the other domain.

 

 

Looking at the logs i can see the user fail on the first LDAP query, but then it does not try the seccond LDAP query... Any thoughts on this?

 

 

Basically I need to be able to authenticate users from different domains, it would be good if this could be done using the domain\username method.

 

SSO is also in use here...

 

 

 

config
design

7 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 15, 2011
    This is possible today, but not for the faint of heart. You'll need to create a "front door" virtual for the APM session, and then a virtual for each domain, each requiring its own access policy with NTLM SSO, iRules, etc. v11, announced late last month and due to ship shortly, will have some built-in support for this, though I have not yet seen the details.
  • Luca_55898's avatar
    Luca_55898
    Icon for Nimbostratus rankNimbostratus
    Aug 15, 2011
    Thanks Jason,

     

     

    So if you have a 'front door' VIP, how to the other VIPs for each domain tie in together?

     

     

    Is there any article the explains this? It can't be that much of an obscure request

     

     

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 16, 2011
    iRules tie it all together. I can try to put an article together to detail the process, but it'll be next week at the earliest. Your SE might have a faster path to mocking this up if you can't wait.
  • Luca_55898's avatar
    Luca_55898
    Icon for Nimbostratus rankNimbostratus
    Aug 17, 2011
    That would be usefull. thanks.

     

    I will log a call with our support as well.
  • worf359_98967's avatar
    worf359_98967
    Icon for Nimbostratus rankNimbostratus
    Aug 18, 2011
    I have a similar, but slightly different requirement. In the visual policy editor I have a AD Auth for one domain, which should fallback to another domain if that one fails.

     

     

    From the logs, the first AD Auth fails in krb5_get_init_creds_password() user not found in Kerberos database and returns an error code (from AD?) and message - Please verify Active Directory and DNS configuration. (-1765328378).

     

     

    But it doesn't follow the fallback path into the next AD Auth.

     

     

    Is this a similar issue?

     

  • farache_28983's avatar
    farache_28983
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2012
    I have V11.2 and have this same issue.

     

     

    I need to authenticate via several domains, but after the first one AD auth don't pass, then the fall back rule for checking the second domain does not fire up.

     

     

    I think it is because it does not fail, but it is because it cannot find the user maybe? not sure..

     

     

    Has anyone been able to fix this some way or got a way to authenticate users across several different domains?
  • Wim_Vermoens_98's avatar
    Wim_Vermoens_98
    Icon for Nimbostratus rankNimbostratus
    Jan 22, 2014

    Hi all

     

    I resolved this issue by doing first an LDAP query to first specific domain. in a form like this. this also resolves the problem that you cannot have both UPN and pre-windows 2000 logons. In our case you now can logon with the both logon forms, AND for multiple domains

     

    Logon Page -> Fallback -> Variable assign (Custom Variable: session.custom.last.username = Session Variable session.logon.last.username) -> Fallback -> (macro Domain 1) -> LDAP Query to first domain (|(UserPrincipalName=%{session.custom.last.username}@%{session.logon.last.domain})(sAMAccountName=%{session.custom.last.username}))

     

    -> Variable Assign session.logon.last.username = LDAP attribute name sAMAccountName Expression on branch 1: expr { [mcget {session.logon.last.username}] equals "" }

     

    So if this variable assign sets the value of session.logon.last.username to "" we will not continue to AD Auth, but we will flow into the next macro for the second domain. This is how we know that the query failed to the first domain.

     

    Branch 1 -> Failure -> Macro Domain 2) -> repeat same steps for domain 2 Fallback -> AD Auth -> Succesfull -> Allow ending -> Fallback -> Deny ending

     

    So the only extra thing you need to setup is an extra (per domain) AAA pool from the LDAP type.