Overview: Configure Active Directory Authentication

About Active Directory authentication

Active Directory is a directory service that runs on Microsoft Windows Server. It stores data on users, devices, applications, and other resources in a centralized database. It uses a hierarchical structure to organize and find data making it easier for users to connect to network resources. It also provides authentication and authorization functions and allows administrators to manage permissions and access to network applications.

For more information, refer to the Microsoft Website’s Active Directory Domain Services Overview.

A domain controller server runs the Active Directory Domain Service. You can configure BIG-IP Next to authenticate users using one or more Active Directory Domain Controller(s). Typically, there are multiple domain controllers, each having a directory copy of the entire domain. They all stay current as changes made to the Directory on one controller are replicated to the other controllers.

BIG-IP Next Access uses Kerberos as an authentication protocol to verify credentials against Active Directory. The authentication process occurs as follows:

  1. An end-user attempts to access BIG-IP Next using an appropriate username and password.

  2. When not using AD Query, BIG-IP Next uses Kerberos protocol to authenticate to the domain controller (DC) using the user credentials. When using AD Query:

    • Suppose you provide the admin credentials (adminName and adminPassword of an administrator with AD administrative permissions) while configuring the Active Directory AAA server item. In that case, BIG-IP Next sends an AD search query with admin credentials to fetch user information and Active Directory password policies to support password-related functionality to the AD server.

    • Suppose you do not provide admin credentials while configuring the Active Directory AAA server item. In that case, BIG-IP Next sends an AD search query with user credentials to fetch information to the AD server.

  3. The Active Directory server verifies user credentials and responds to BIG-IP Next.

Configure Active Directory Authentication and Query

You can configure Active Directory Authentication and Query using the following methods:

Configure Active Directory Authentication using BIG-IP Next Central Manager