Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
About Active Directory queries
When running the AD Query access policy item, Access Policy Manager (APM) queries an external Active Directory server for additional information about the user. The AD Query item looks up the attribute memberOf to fetch the groups to which a user belongs and provides an additional option to fetch the primary group.
The AD Query item does not authenticate user credentials. To authenticate users, use another or an additional authentication item in the access policy.
About nested groups in Active Directory queries
A nested group is a group that is a member of another group. For example, group1 is a member of group3 and group4. A user, user1, that belongs to group1 and group2 also belongs to group3 and group4 through nesting.
Whether AD Query returnd nested groups in session variables
The AD Query access policy item returns and stores the groups to which a user belongs in the memberOf session variable.
The contents of the memberOf session variable differ depending on whether the Fetch Nested Group setting is enabled or disabled in AD Query properties:
- Enabled - The memberOf session variable contains all groups to which the user belongs. As in the example, this includes group1, group2, group3, and group4.
- Disabled - The memberOf session variable contains groups to which the user belongs directly. Based on the example, this would be group1 and group2.
About Active Directory password management
Access Policy Manager (APM) supports password management for Active Directory authentication, including password reset (after password expiration), a configurable number of attempts for password reset, and a change password option (for resetting a password by user request).
The password reset process works in this sequence:
- APM uses the client's user name and password to authenticate against the Active Directory server on behalf of the client.
- If the user password on the Active Directory server has expired, APM returns a new logon screen back to the user, requesting that the user change the password.
- After the user submits the new password, APM attempts to change the password on the Active Directory server. If this is successful, the user's authentication is validated.
If the password change fails, it is likely that the Active Directory server rejected it because the password did not meet the minimum requirements such as password length.
APM supports multiple attempts for password reset. In the visual policy editor AD Auth action, APM provides a Max Password Reset Attempts Allowed property.
APM supports a change password option. In the visual policy editor, the Logon Page action provides a checkbox type field with a Change Password label for display on the logon screen.
About how APM handles binary values in Active Directory attributes
For Active Directory, Access Policy Manager (APM) converts an attribute value to hex only if the value contains unprintable characters. If the session variable contains several values, and one or more of those values is unprintable, then APM converts only those particular values to hex.
An attribute with a single unprintable value
7ecc84a2.session.ad.last.attr.objectSid 58 / 0x01050000000000051500000013fe8e97c03cd5b5ad04e2e255040000Attributes with multiple values, both printable and unprintable (binary)
7ecc84a2.session.ad.last.attr.memberOf 460 | CN=printable group,OU=groups,OU=someco,DC=sherwood,DC=labt,DC=fp,DC=somelabnet,DC=com | 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352 | / c44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d | / CN=Domain Users,CN=Users,DC=smith,DC=labt,DC=fp,DC=somlabnet,DC=com | / CN=CERTSVC_DCOM_ACCESS,CN=Users,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com | / CN=Users,CN=Builtin,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com |Adding an Active Directory query to an access policy
Using AD query with IPv6
Active Directory query session variables
When the AD Query access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the Active Directory access policy items and for a logon access policy item.
Session variables for Active Directory query
Session Variable | Description |
---|---|
session.ad.last.queryresult | Provides the result of the Active Directory query. The available values are:
|
session.ad.last.errmsg | Displays the error message for the last login. If session.ad.last.queryresult is set to 0, then session.ad.last.errmsg might be useful for troubleshooting purposes. |
session.ad.last.attr.$attr_name | $attr_name is a value that represents the user’s attributes received from the Active Directory. Each attribute is converted to separate session variables. |
session.ad.last.attr.primarygroup.$attr_name | primarygroup.$attr_name is a value that represents the user’s group attributes received from the Active Directory. Each attribute is converted to separate session variables. |
Common session variables
Session Variable | Description |
---|---|
session.logon.last.username | Provides user credentials. The username string is stored after encrypting, using the system's client key. |
session.logon.last.password | Provides user credentials. The password string is stored after encrypting, using the system's client key. |
Active Directory authentication and query troubleshooting tips
You might run into problems with Active Directory authentication and query processes in some instances. Follow these tips to try to resolve any issues you might encounter.
Active Directory auth authentication and query troubleshooting
Possible error messages | Possible explanations and corrective actions |
---|---|
Domain controller reply did not match expectations.(-1765328237) | This error occurs when the principal/domain name does not match the domain controller server's database. For example, if the actual domain is SALES.MYCOMPANY.COM, and the administrator specifies STRESS as the domain, then the krb5.conf file displays the following: default_realm = SALES SALES = { domain controller = (domain controller server) admin = (admin server) So, when the administrator tries to authenticate with useraccount@SALES, the krb5 library notices that the principal name SALES differs from the actual one in the server database. |
Additional troubleshooting tips for Active Directory authentication
You should | Steps to take |
---|---|
Check that your access policy is attempting to perform authentication |
Note: Make sure that your log level is set to the appropriate level. The default
log level is notice.
|
Confirm network connectivity |
|
Check the Active Directory server configuration |
Note: Since Active Directory is sensitive to time settings, use NTP to set the
correct time on the Access Policy Manager.
|
Capture a TCP dump |
Important: If you decide to escalate the issue to customer support, you must
provide a capture of the TCP dump when you encounter authentication issues that you cannot
otherwise resolve on your own.
|