Get the wrong account on the application after two logon attempts

Question

Hi Guys,&nbsp;
After a wrong log in with a bad password again the box AD Auth, I do a right log in with an other username and I get the account of the previous people on the backend.&nbsp;
Indeed, the authentication on the backend and the application is based on an HTTP Header built by the F5 from the information of session.ad.last.attr.UserPrincipalName get by an AD Query.&nbsp;
The mechanism:&nbsp;
I create a custom variable session after the logon page with session.logon.last.username@domain and I use this new custom variable to lookup in the AD with an AD Query after the AD Auth. I get the UserPrincipal Name to built the HTTP Header afterward.&nbsp;
Problem&nbsp;
I get the account of the previous people on the backend. It seems we have some caching during the APM Workflow when I change the account with a right password against the Ad Auth for the second attempt.&nbsp;
Do you why the APM Workflow keep my custom variable in cache ?&nbsp;
Thanks a lot for your help.&nbsp;
Morgan&nbsp;

youssef1 · Answer

Hi Morgan,&nbsp;
I already encounter this kind of behaviour because of the location of "variable Assign".&nbsp;
Can you set up your " Variable Assign" after AD auth then try again?&nbsp;
keep me update if you need more details.&nbsp;
regards,&nbsp;

stanislas_piro2 · Answer

Hi,
the problem is when your policy is like that:
start --&gt; logon page --&gt; variable assign --&gt; AD auth

First authentication logon page is managed in Logon page boxall other authentication attempts are managed within AD auth box... there is not backward in decision tree.
So every decision between logon page and AD auth are evaluated only once during first authentication.
To solve the issue, 
create a macro with "loop count" define to 3  
configure the same policy within this macro. except that you define the AD auth max attempts to 3.  
connect AD auth failure to loop ending.
the macro will force to evaluate again every box during next authentication attempts.

Forum Discussion

Get the wrong account on the application after two logon attempts

2 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

Create a DevCentral account

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection

Getting Started with BIG-IP Next: Migrating an Application Workload

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence

Application Programming Interface (API) Authentication types simplified