Applies To:

Show Versions Show Versions

sol12193: Using nested groups in Active Directory for authentication and resource assignment
How-ToHow-To

Original Publication Date: 10/14/2010
Updated Date: 02/07/2013

You can use Active Directory to authenticate users and assign resources to those users based on attributes in the user's account. For example, you can authenticate a user, perform a query to find which nested groups the user belongs to, and then assign the user a webtop resource based on a nested group. Group assignments are configured within Active Directory. The BIG-IP APM system retrieves the group assignment information from the Domain Controller and assigns the resources accordingly.

Note: A nested group is created when you add one group to a different group, and a user in the first group is not directly assigned to the new group. For example, if Jane Smith is a member of the Research_Development group and the Seattle group, and the Research_Development group is a member of the Engineers group and the Classified group, then Jane Smith belongs to all of those groups (the Research_Development, Seattle, Engineers, and Classified groups). Jane Smith nests the Engineers and Classified group privileges through her membership in the Research_Development group.

Creating an Access Policy

Performing the following procedure creates a logon page that prompts the user for their username and password. The BIG-IP APM uses DNS to determine the IP address of the Domain Controller for the domain (sometimes referred to as Realm) configured in the Active Directory AAA server definition. If the forward and reverse (PTR) records do not match, authentication fails. If the records match, the BIG-IP APM sends a request to the Domain Controller requesting a Kerberos ticket using the admin name and password that is configured in the Active Directory AAA server definition. If the BIG-IP APM and the Domain Controller establish a trust relationship, the BIG-IP APM passes the credentials that the user supplied on the logon page to the Domain Controller to authenticate the user. The Domain Controller sends back a success or failure message. If the BIG-IP APM receives a success message, the user has authenticated. If the BIG-IP APM cannot establish a trust with the Domain Controller, authentication fails.

  1. Log in to the Configuration utility.
  2. Expand Access Policy.
  3. Click Access Profiles.
  4. Click Create.
  5. Type a name for your access policy.

    For example:

    Classified_Webtop

  6. Review the default settings.
  7. Click Finished.
  8. Click the Edit link for the access policy you just created.
    The visual policy editor opens in a new window or new tab.
  9. Click (+) between the Start and Deny boxes.
  10. Under General Properties, select Logon Page.
  11. Click Add Item.
  12. Review the default settings.
  13. Click Save.
  14. Click (+) on the fallback branch following the Logon Page action.
  15. Under Authentication, select AD Auth.
  16. Click Add Item.
  17. From the Server menu, select the Active Directory AAA server that you want your users to authenticate against.

    Note: For instructions about creating an Active Directory AAA sever, refer to the Configuration Guide for BIG-IP Access Policy Manager.

    Note: Most environments use sAMAccountName rather than User Principle Name. If User Principal Name is enabled, the user needs to submit their user ID as user@domain, where the user is their username and the domain is their Active Directory domain.

    Note: F5 recommends that you enable Show Extended Error only for troubleshooting purposes. Enabling this option can generate multiple logs very quickly.

  18. Set the Max Logon Attempt Allowed based on the policies of your environments.

    Note: Setting the value to 1 allows the user only one attempt at supplying their credentials. The default value is set to 3 but can be set as high as 5.

Adding an Active Directory query to retrieve group information

  1. Click (+) on the Successful branch.
  2. Under Authentication, select AD Query.
  3. Click Add Item.
  4. Select the Active Directory AAA server you want to query against. Most likely this is the same server you selected above.
  5. In the SearchFilter field, enter the search query string you want the system to use to query the Domain Controller for user information. In the following example, the BIG-IP APM system queries the Domain Controller specifying the user's username:

    (sAMAccountName=%{session.logon.last.username})

    Note: Since you are not using the user's primary group and you are using sAMAcountName rather than User Principal Name, keep both of those values disabled.

  6. Next to Fetch Nested Group, select Enabled.
  7. Optional: If you configure the BIG-IP APM system to query for specific attributes, Active Directory responds with only the necessary attribute rather than all attributes. This can significantly improve the response time that your users experience during the logon process. This step is particularly useful for large environments. Once the BIG-IP APM system makes the initial query, the system stores the information locally on the BIG-IP APM device and uses the information for the remainder of the user's session. If changes are made in Active Directory to the user's account while the user is connected, the user needs to log out and log back in for the BIG-IP to acknowledge the changes.
    1. Click Add new entry.
    2. In the Required Attributes field, type the specific Active Directory attribute(s) on which you want resource assignments based. For example, to retrieve the groups that the user belongs to, you would type memberOf. This will limit the response from Active Directory to only include data from the memberOf attribute.
  8. Click the Branch Rules tab.
  9. Click the X next to Name: User Primary Group ID is to delete it.
  10. Click Add Branch Rule.
  11. Click the change link under the new branch rule.
  12. Click Add Expression.
  13. Select AD Query from the Agent Sel menu.
  14. Select User is a Member Of from the Condition menu.
  15. In the User is a member of field, assign your users a specific web top. For example, to assign the Classified group users a specific web top, type:

    CN=Classified,CN=Users,DC=example,DC=com

    Note: By adding expressions under the OR operator, you can configure the system so multiple groups have access to the same resource as the Classified group in this window.

  16. Click Add Expression.
  17. Click Finished.
  18. Click Save.

Assigning a resource to the users

At this point, the user has authenticated and you have retrieved all of the nested groups to which the user belongs. You have also told the BIG-IP APM system that members of a specific group (in the examples, the Classified group) can be treated differently than other authenticated users. The next step is to assign the user a webtop based on their group membership.

  1. Click (+) for Branch Rule 1.
  2. Under General Properties, select Resource Assign.
  3. Click Add Item.
  4. Click Add new entry.
  5. Click Set Webtop.

    Note: This is the same screen that you can assign users ACLs, Network Access, and Web Applications.

  6. Select the web top you want to assign to the members of the nested group.

    Note: For information about creating a web top resource, refer to the Configuration Guide for BIG-IP Access Policy Manager.

  7. Click Update.
  8. Click Save.
  9. To assign users who are not in the specific group you created (in the examples, the Classified group) to a different web top, click (+) on the fallback branch that follows the AD Query action.
  10. Repeats Steps 3 through 8, and make sure that you assign the appropriate resource for that group in Step 6.
  11. Click the Deny fields that follow the Resource Assign action to change the fields to Allow.
  12. Click the Apply Access Policy link in the upper left corner.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)