F5 APM - Active Directory AAA profile and port 636 w/ SSL
As you probably already know, Microsoft is enforcing all LDAP binds to require a secure channel binding or LDAPS in March 2020. This means port 389 for LDAP queries will fail after the March Windows patch is deployed. Our ActiveSync and OWA Exchange VIPs were deployed using the Exchange iApp and have Active Directory AAA profiles for access through the APM. I've looked through the profile settings and do not see where to change the port from 389 to 636. How do we force the Active Directory AAA profiles to use 636 with SSL? https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536 Edit: Did see another post regarding this and found this article that states no changes are necessary for Active Directory profiles? https://support.f5.com/csp/article/K300542121.4KViews0likes8CommentsIs there an example of setting an Active Directory attribute from F5 iRule or Access Policy?
I want to set the password to be changed for an Active Directory account which I have fetched via a query. The documentation for AD seems suitably dense and unreadable, but I'm fairly sure it'll eventually reveal the right setting to twiddle (probably setting pwdLastSet to "0"). But not sure how to do this on F5. Also is the code for the APM "AD Auth" visible anywhere, as I'd like to see how it works, which would presumably answer this and other questions I have.963Views0likes14CommentsKerberos Authentication from Multiple Forests
I've set up an F5 APM device with some Kerberos auth using the steps here - http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.html and it is working for AD accounts in the forest where I have followed the steps. I have struck an issue though with being able to get accounts in another AD forest (that is fully trusted - in the AD sense) to authenticate, or even find log info on why the kerb auth fails. Anybody have any ideas on how to get some log details on why the kerb auth fails, and whats needed to allow accounts from multiple AD Forests?961Views0likes6CommentsHelp troubleshooting AD Auth on F5 LB
Hi All. We're trying to configure AD auth and running into major issues. The strange thing is that telnet succeeds, I've reset and confirmed the bind user's password, and have reset and confirmed the test AD user password. Any help will be much appreciated! successful connection on 389 and 3269 - [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 3269 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 389 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. In /var/log/secure, I see - Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie DE71A3EB7E09C285EE804A880D473DA378684CCB - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie F69E5702BC54A5517DD6CF34EFB66C09E2939501 - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie ED2B8DAF7E221E2572F7094214AAB91947FE048D - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: reconnecting to LDAP server... Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 warning httpd[8867]: pam_unix(httpd:auth): check pass; user unknown Apr 21 19:43:37 lb1 notice httpd[8867]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=<IP> Apr 21 19:43:38 lb1 err httpd[8867]: [error] [client <IP>] AUTHCACHE PAM: user 'devf5test' (fallback: false) - not authenticated: Authentication failure, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021"). Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: 01070417:6: AUDIT - user devf5test - RAW: httpd(pam_audit): User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021").864Views0likes1CommentF5-LTM active directory and http/s
Looking to utilize LTM to handle traffic within a domain that wasn't configured following best practices. Currently, the active directory domain and the primary website share the same domain name. Clients have historically reached the website via a "www" cname but this cname needs to be removed for SEO purposes. The cname was removed from external DNS for clients connecting via the WAN. I would like to duplicate this behavior for LAN clients without placing a reverse proxy web server on the domain controllers and need an option that will perform more reliably than adding a netsh portproxy rule to handle port 80 and 443 traffic. How can I configure the LTM so that active directory LAN client traffic destined for "ourdomainname.com" reaches our active directory servers and LAN client traffic via ports 80 and 443 destined for "ourdomainname.com" is directed to the web servers IP address?Solved818Views1like3CommentsAD attributes in SAML assertion
Configured BIG-IP as an IDP and registered SAML Application as SP. Added an AD Authentication and everything works as expected. But now would like to pass few user attributes in the SAML assertion , such as emailaddress of the user. I understand that just adding the attributes in the local IDP would not help. also i tried to change the Access Profile Could someone list the steps in detail to fetch the attributes from Active Directory and pass the same in SAML assertion.?Solved718Views0likes4CommentsMax length of LDAP attribute in queries to Active Directory?
Hi all, I'm working with multiple Active Directory domains (same forest) containing users, but the APM I'm configuring does not have access to any global catalog servers. An APM policy is configured to authorize users from any of the domains by checking for their membership in a universal group, which exists in one domain. The APM is permitted to reach domain controllers in that one domain. To perform authorization, we bind to the group in an LDAP Query action and check the member attribute in a branch rule with the following expression: expr { [string tolower "[mcget {session.ldap.last.attr.member}]"] contains [string tolower "[mcget {session.logon.last.username}]"] } My question is, is there a limit to the size of the response along the way, in case the membership of the group grows quite large? I'm unaware of any specific limits on LDAP responses, but want to check on the AD and F5 sides. Might the domain controller truncate its response at a certain size, might the F5 truncate the response received above a certain point, or might I run into issues if the size of the member attribute is too large to grep/"contains" for my username? Short of gaining access to a global catalog (which is not an option in the short term) and binding to users to check memberOf, or checking all three domain controllers in a cascading/waterfall configuration, are there any other alternatives you have seen to accomplish this? Thanks, Chris669Views0likes0CommentsAD query for a user from a trusted domain (forest trust)
Hi! Been trying to solve this for a while, but can´t find how to do this... I have seen similar questions on the forum without response, maybe this time is the one! I have two domains, domain A and domain B. Domain A is configured to trust Domain B. Also, users from domain B belongs to some AD groups on domain A. I have setup an access policy, where users from domain A authenticate against domain A, and users from domain B authenticates agains domain B (two different AAA servers). This is working fine. My question is: How can I check the group membership of domain A groups for a user from domain B? I need to make a query to domain A asking the "memberOf" attr for a trusted user which is originally from domain B. If I try to do this, que AD Query does not found the user, as the CN, sAMAccountName, SID, and GUID for the domaing B user are not the same in domain A. Any ideas on how to achieve this? Regards, Gerar665Views0likes2CommentsBIG-IQ 6.0.1 and AD User Groups
This is a PoC for BIG-IQ, so I'm playing around with the system. I've set up AD as the Auth Provider, assigned a User Group for my team, and assigned Administrator Role. However when trying to authenticate, an error message says "User has no roles or group associations." I can't authenticate with my AD credentials until I also add my AD username under the Users list. This is different from my LTMs, which permits authentication based on a user's security group membership. Do I have to add specific users for every account that needs access to the BIG-IQ?541Views0likes3CommentsBIG-IQ not mapping AD groups to User Groups
I'm currently trying to get a BIG-IQ instance working correctly with a customers AD service. This service already works 100% fine with the existing BIG-IP devices confirming that the AD setup is ok. I've no doubt this is a PICNIC error on my part but I'm not an LDAP/AD person by trade. We have managed to get the BIG-IQ to authenticate users so we know we have connectivity to the AD side of things. I've created a user group to map people who are in the F5Admins group so that they should automatically be given the role of Administrator. What I've found out from performing an ldapsearch is that the username they type in (format Xnnnnnnnnn) doesn't appear in the search for the F5Admins group members and for some reason the BIG-IP's can handle this but the BIG-IQ cannot. Below is the output from the ldapsearch:- (sanitised output) ldapsearch -x -h 1.2.3.4 -b "ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk" -s sub "(cn="F5Admins")" -v -D "cn=XXXX,ou=XXXXX Accounts,dc=xxxxx,dc=xxx,dc=uk" -W ldap_initialize( ldap://1.2.3.4 ) Enter LDAP Password: filter: (cn=F5Admins) requesting: All userApplication attributes extended LDIF LDAPv3 base with scope subtree filter: (cn=F5Admins) requesting: ALL F5Admins, (output snipped) dn: CN=F5Admins,OU=XXXX,ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk objectClass: top objectClass: group cn: F5Admins member: CN=Doe J (John),OU=xxxxx Admins,DC=xland,DC=xxx,DC=uk member: CN=Doe J (Jane),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk member: CN=Doe J (Jack),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk (output snipped but contains simlar user information) distinguishedName: CN=F5Admins,OU=Misc,OU=xxxxx Global Groups,DC=xland,DC=xxx,DC=uk I am unable to provide screenshots of the other parts of the config as it contains information that the customer doesn't want to be made public.516Views0likes3Comments