Applies To:
Show VersionsBIG-IP APM
- 11.5.1
About Active Directory queries
When running the AD Query access policy item, Access Policy Manager (APM) queries an external Active Directory server for additional information about the user. The AD Query item looks up the attribute memberOf to fetch the groups to which a user belongs and provides an additional option to fetch the primary group.
The AD Query item does not authenticate user credentials. To authenticate users, use another or an additional authentication item in the access policy.
About nested groups in Active Directory and LDAP queries
A nested group is a group that is a member of another group. For example, group1 is a member of group3 and group4. A user, user1, that belongs to group1 and group2 also belongs to group3 and group4 through nesting.
Whether AD Query and LDAP Query return nested groups in session variables
The AD Query and LDAP Query access policy items return and store the groups to which a user belongs in the memberOf session variable.
The contents of the memberOf session variable differ depending on whether the Fetch Nested Group setting is enabled or disabled in AD Query or LDAP Query properties:
- Enabled - The memberOf session variable contains all groups to which the user belongs. As in the example, this includes group1, group2, group3, and group4.
- Disabled - The memberOf session variable contains groups to which the user belongs directly. Based on the example, this would be group1 and group2.
About Active Directory password management
Access Policy Manager (APM) supports password management for Active Directory authentication.
How APM supports password reset
The process works in this sequence:
- Access Policy Manager uses the client's user name and password to authenticate against the Active Directory server on behalf of the client.
- If the user password on the Active Directory server has expired, Access Policy Manager returns a new logon screen back to the user, requesting that the user change the password.
- After the user submits the new password, Access Policy Manager attempts to change the password on the Active Directory server. If this is successful, the user's authentication is validated.
If the password change fails, it is likely that the Active Directory server rejected it because the password did not meet the minimum requirements such as password length.
Number of attempts APM provides for password reset
In the AD Auth action, APM provides a Max Password Reset Attempts Allowed property.
Change password option
In the Logon page action, APM provides a Checkbox property in the visual policy editor. You can add the option on the APM logon screen to change the log on password.About how APM handles binary values in Active Directory attributes
For Active Directory, Access Policy Manager (APM) converts an attribute value to hex only if the value contains unprintable characters. If the session variable contains several values, and one or more of those values is unprintable, then APM converts only those particular values to hex.
Case 1:
Handling of attributes with single value:
7ecc84a2.session.ad.last.attr.objectSid 58 / 0x01050000000000051500000013fe8e97c03cd5b5ad04e2e255040000Case 2:
Handling of attributes with multiple values (mix of binary and non-binary values):
7ecc84a2.session.ad.last.attr.memberOf 460 | CN=printable group,OU=groups,OU=someco,DC=sherwood,DC=labt,DC=fp,DC=somelabnet,DC=com | 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352 | / c44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d | / CN=Domain Users,CN=Users,DC=smith,DC=labt,DC=fp,DC=somlabnet,DC=com | / CN=CERTSVC_DCOM_ACCESS,CN=Users,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com | / CN=Users,CN=Builtin,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com |Adding an Active Directory query to an access policy
Using AD query with IPv6
Active Directory query session variables
When the AD Query access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the Active Directory access policy items and for a logon access policy item.
Session variables for Active Directory query
Session Variable | Description |
---|---|
session.ad.last.queryresult | Provides the result of the Active Directory query. The available values are:
|
session.ad.last.errmsg | Displays the error message for the last login. If session.ad.last.queryresult is set to 0, then session.ad.last.errmsg might be useful for troubleshooting purposes. |
session.ad.last.attr.$attr_name | $attr_name is a value that represents the user’s attributes received from the Active Directory. Each attribute is converted to separate session variables. |
session.ad.last.attr.primarygroup.$attr_name | primarygroup.$attr_name is a value that represents the user’s group attributes received from the Active Directory. Each attribute is converted to separate session variables. |
Common session variables
Session Variable | Description |
---|---|
session.logon.last.username | Provides user credentials. The username string is stored after encrypting, using the system's client key. |
session.logon.last.password | Provides user credentials. The password string is stored after encrypting, using the system's client key. |
Active Directory authentication and query troubleshooting tips
You might run into problems with Active Directory authentication and query processes in some instances. Follow these tips to try to resolve any issues you might encounter.
Active Directory auth authentication and query troubleshooting
Possible error messages | Possible explanations and corrective actions |
---|---|
Domain controller reply did not match expectations.(-1765328237) | This error occurs when the principal/domain name does not match the domain controller server's database. For example, if the actual domain is SALES.MYCOMPANY.COM, and the administrator specifies STRESS as the domain, then the krb5.conf file displays the following: default_realm = SALES SALES = { domain controller = (domain controller server) admin = (admin server) So, when the administrator tries to authenticate with useraccount@SALES, the krb5 library notices that the principal name SALES differs from the actual one in the server database. |
Additional troubleshooting tips for Active Directory authentication
You should | Steps to take |
---|---|
Check that your access policy is attempting to perform authentication |
Note: Make sure that your log level is set to the appropriate level. The default
log level is notice.
|
Confirm network connectivity |
|
Check the Active Directory server configuration |
Note: Since Active Directory is sensitive to time settings, use NTP to set the
correct time on the Access Policy Manager.
|
Capture a TCP dump |
Important: If you decide to escalate the issue to customer support, you must
provide a capture of the TCP dump when you encounter authentication issues that you cannot
otherwise resolve on your own.
|