Query AD for Account Lockout status in APM/iRules

Question

I currently have an APM policy that does cert auth then gets a Kerberos ticket on behalf of the user.  My management wants to add an account lockout feature, so we could use this same setup to detect when the users domain account is locked out and automatically redirect them to a custom "unlock my account" page.&nbsp;
So far I was able to get this working by adding a step in APM to run an AD Query (&amp;(sAMAccountName=xxx)(lockoutTime&gt;=1)) and then set a flag AccountLockout to 1 if that query passes.&nbsp;
when ACCESS_POLICY_COMPLETED  {
if { [ACCESS::session data get AccountLockout] equals 1 } {
ACCESS::respond 302 Location https://xxx/accountlockout 
}
}&nbsp;
The problem with this current solution is two fold:&nbsp;
This only gets checked on a new session.  How would I go about checking this when resuming an existing session?  It seems to take about 5 minutes for our DCs to propagate this "lockoutTime" attribute, and this is problematic.
So unfortunately the current solution is somewhat unworkable.  I had considered of other ways to detect a lockout that would be nearly instant (track 401s triggered by a client over multiple page loads perhaps?), or change the session time to be 5 minutes which would trigger the full APM to be triggered more often but that of course has other problems.&nbsp;
Just looking for any ideas/suggestions/etc.  Thanks!&nbsp;
Jeremy

kunjan · Answer

Are you using Kerberos SSO or Kerberos end user logon authentication? &nbsp;

jj_41469 · Answer

kunjan -&nbsp;
We are using Kerberos Constrained Delegation to have the f5 negotiate a ticket to the backend server on behalf of the client, and simply cert-auth the client to the f5 (no Kerberos client&gt;f5)&nbsp;

kunjan · Answer

The Kerberos TGT cache life time by default in APM is 600 minutes. The lowest it can go is 10 minutes. During this period if the account is locked, it can't be detected by SSO. 
But after that for the new request, Kerberos(S4U2Self) will fail if the account is locked and server will throw 401. So if we capture this 401 and restart the APM session, I guess we can go to the AD query to check for the account status.
Try if this helps;  tune "ticket-lifetime 10" in the Kerberos SSO and apply the iRule.
when HTTP_RESPONSE {
   if { [HTTP::status] == 401 } {
      ACCESS::session remove
      HTTP::respond 302 Location "/" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"
   }
}

Forum Discussion

Query AD for Account Lockout status in APM/iRules

3 Replies

Recent Discussions

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

Related Content

Create a DevCentral account

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Change admin account

APM Configuration to Support Duo MFA using iRule

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence