Query AD for Account Lockout status in APM/iRules
I currently have an APM policy that does cert auth then gets a Kerberos ticket on behalf of the user. My management wants to add an account lockout feature, so we could use this same setup to detect when the users domain account is locked out and automatically redirect them to a custom "unlock my account" page.
So far I was able to get this working by adding a step in APM to run an AD Query (&(sAMAccountName=xxx)(lockoutTime>=1)) and then set a flag AccountLockout to 1 if that query passes.
when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get AccountLockout] equals 1 } { ACCESS::respond 302 Location https://xxx/accountlockout } }
The problem with this current solution is two fold:
- This only gets checked on a new session. How would I go about checking this when resuming an existing session?
- It seems to take about 5 minutes for our DCs to propagate this "lockoutTime" attribute, and this is problematic.
So unfortunately the current solution is somewhat unworkable. I had considered of other ways to detect a lockout that would be nearly instant (track 401s triggered by a client over multiple page loads perhaps?), or change the session time to be 5 minutes which would trigger the full APM to be triggered more often but that of course has other problems.
Just looking for any ideas/suggestions/etc. Thanks!
- Jeremy