AD QUERY AFTER KERBEROS AUTHENTICATION

Question

Can I use AD Query after kerberos authetication?&nbsp;
I tried putting AD query after kerbero auth and variable assignment. AD Query search filter %{session.sso.token.last.username} and I found following:&nbsp;
bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.logon.last.domain' set to 'DOMAIN1.DOMAIN.COM'
bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.sso.token.last.username' set to 'user1'
bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'userPrincipalName' set to 'user1'
bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_message_box_ag', return value 0
bigip info apmd[28998]: 01490006:6: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'Message Box' to item 'AD Query'
bigip debug apmd[28998]: 01490011:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: ENTER Function executeInstance
bigip debug apmd[28998]: 01490231:7: /frontend/f5-kerberos:frontend:8e2e231e: AD Agent: Configured to use /frontend/AAA-Servers as a server
bigip debug apmd[28998]: 01490023:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: ENTER Function queryActiveDirectory
bigip err apmd[28998]: 01490107:3: /frontend/f5-kerberos:frontend:8e2e231e: AD module: query with 'user1' failed: empty password detected  (-1)
bigip debug apmd[28998]: 01490111:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: authenticate(): empty password detected (-1)
bigip debug apmd[28998]: 01490024:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: LEAVE Function queryActiveDirectory
bigip info apmd[28998]: 01490019:6: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: Query: query with 'user1' failed
bigip info apmd[28998]: 01490162:6: /frontend/f5-kerberos:frontend:8e2e231e: Username used for authentication contains domain information. Please enable 'Split domain from full Username' option in Logon Page if domain info should be separated from username for authentication to work properly.
bigip debug apmd[28998]: 01490012:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: LEAVE Function executeInstance
bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_active_directory_query_ag', return value 0
bigip notice apmd[28998]: 01490005:5: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'AD Query' to ending 'Deny'
bigip notice apmd[28998]: 01490102:5: /frontend/f5-kerberos:frontend:8e2e231e: Access policy result: Logon_Deny
bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_end_deny_ag', return value 0&nbsp;

zbirmingham · Answer

I had a similar issue where my domain name was getting appended to the username twice in the AD query. IE: the username was being sent across in the AD Query as: username@DOMAIN.com@domain.com.
My fix was to add a "Variable Assign" between the Kerberos and AD Query steps within my Policy.
I set the Custom Variable field to:
session.logon.last.username

Then set the Custom Expression field to:
expr { [lindex [split [mcget {session.logon.last.username}] "@"] 0] }

Forum Discussion

AD QUERY AFTER KERBEROS AUTHENTICATION

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

iRuleLX Solution for OAUTH JWT authenticated Salesforce Query

Transparent Kerberos Authentication and APM fallback authentication

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Lightboard Lessons: Basic Kerberos Authentication