Forum Discussion

Christian's avatar
Christian
Icon for Altocumulus rankAltocumulus
Nov 25, 2019

F5 APM Check Domain Membership

Hello Community,

 

In F5 APM policies, is there any option to check Domain Membership in a computer?

We need to create a policy to restrict only access to computer joined in domain 

Thanks for your help.

 

Christian G.

4 Replies

  • Hello, you do this by adding a Registry Check object in the APM VPE and use the following in that check:

     

    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"."Domain"="example.F5.com"

  • Hello, thanks for your reply. I find these information where tells that i can use a Machine Certification Authentication Agent for check domain membership. Someone have used these method?

     

    Machine Certification Authentication Agent 

    When configured on the domain controller, Windows Machine Certificates will automatically be installed when Windows PC joins the AD domain. This is true for Windows Vista and later and Window 2008 Server and later. The process of installing the machine certificate is manual for earlier versions. 

     

    This machine cert can be used in the authentication process, typically as part of a two-factor auth process. There are three branches for the agent. 

    • Successful: the Machine Certificate was found and the private key was verified. 

    • Found: the Machine Certificate was found, but the private key was not verified. This is possibly because it could not be read due to misconfiguration or due to Windows permissions. Regardless of reason, this is not a valid security proposition. 

    • Fallback: as an invalid logon attempt. 

  • I am not aware of doing a domain check with a Machine Cert, nor do I see anything in the info posted that indicates you can do this.