Original Publication Date: 10/14/2010
Updated Date: 02/07/2013
You can use Active Directory to authenticate users and assign resources to those users based on attributes in the user's account. For example, you can authenticate a user, perform a query to find which nested groups the user belongs to, and then assign the user a webtop resource based on a nested group. Group assignments are configured within Active Directory. The BIG-IP APM system retrieves the group assignment information from the Domain Controller and assigns the resources accordingly.
Note: A nested group is created when you add one group to a different group, and a user in the first group is not directly assigned to the new group. For example, if Jane Smith is a member of the Research_Development group and the Seattle group, and the Research_Development group is a member of the Engineers group and the Classified group, then Jane Smith belongs to all of those groups (the Research_Development, Seattle, Engineers, and Classified groups). Jane Smith nests the Engineers and Classified group privileges through her membership in the Research_Development group.
Creating an Access Policy
Performing the following procedure creates a logon page that prompts the user for their username and password. The BIG-IP APM uses DNS to determine the IP address of the Domain Controller for the domain (sometimes referred to as Realm) configured in the Active Directory AAA server definition. If the forward and reverse (PTR) records do not match, authentication fails. If the records match, the BIG-IP APM sends a request to the Domain Controller requesting a Kerberos ticket using the admin name and password that is configured in the Active Directory AAA server definition. If the BIG-IP APM and the Domain Controller establish a trust relationship, the BIG-IP APM passes the credentials that the user supplied on the logon page to the Domain Controller to authenticate the user. The Domain Controller sends back a success or failure message. If the BIG-IP APM receives a success message, the user has authenticated. If the BIG-IP APM cannot establish a trust with the Domain Controller, authentication fails.
Note: For instructions about creating an Active Directory AAA sever, refer to the Configuration Guide for BIG-IP Access Policy Manager.
Note: Most environments use sAMAccountName rather than User Principle Name. If User Principal Name is enabled, the user needs to submit their user ID as user@domain, where the user is their username and the domain is their Active Directory domain.
Note: F5 recommends that you enable Show Extended Error only for troubleshooting purposes. Enabling this option can generate multiple logs very quickly.
Note: Setting the value to 1 allows the user only one attempt at supplying their credentials. The default value is set to 3 but can be set as high as 5.
Adding an Active Directory query to retrieve group information
Note: Since you are not using the user's primary group and you are using sAMAcountName rather than User Principal Name, keep both of those values disabled.
Note: By adding expressions under the OR operator, you can configure the system so multiple groups have access to the same resource as the Classified group in this window.
Assigning a resource to the users
At this point, the user has authenticated and you have retrieved all of the nested groups to which the user belongs. You have also told the BIG-IP APM system that members of a specific group (in the examples, the Classified group) can be treated differently than other authenticated users. The next step is to assign the user a webtop based on their group membership.
Note: This is the same screen that you can assign users ACLs, Network Access, and Web Applications.
Note: For information about creating a web top resource, refer to the Configuration Guide for BIG-IP Access Policy Manager.