How to: Configure Active Directory Authentication policies using BIG-IP Central Manager¶
You can authenticate using Active Directory authentication with BIG-IP Next Access. We support using Kerberos-based authentication through Active Directory.
Using BIG-IP Next Central Manager GUI¶
The following example creates a new Active Directory Authentication Access policy using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager. Navigate to the Security canvas > Security > Access > Policies path.
To create a policy, click the Start Creating button. By default, there are no policies created. The Create Policy page opens, and the Visual Policy Designer (VPD) canvas appears.
Select the required policy type radio button. Available policy options are the Per-Session Policy and Per-Request Policy.
In The How would you like to create it? section, select whether to create a policy using the template or from scratch. Available options are Create using a policy template and Start from scratch. Users are recommended to select Create using a policy template option to quickly access the policy.
In the Policy Templates section, select the required policy template. Available options are Logon Page with Active Directory Query and SAML as a Service Provider. When the Logon Page with Active Directory Query is selected, this policy template includes a Logon Page and Active Directory rules for Authentication and Authorization purposes. When the SAML as a Service Provider is selected, this policy template includes SAML Federation and Variable Assign rules to configure for a SAML Service Provider setup.
Click Next. Based on the selection of the policy type, the applicable policy configurations are displayed.
On the General Properties tab, enter a Policy Name for the policy.
Scroll through the remaining properties and revise any value that you want to change from its default setting.
Click Continue. The Session Properties tab of the respective policy page appears.
On the Session Properties tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Logging tab of the respective policy page appears.
On the Logging tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Single Sign-On tab of the respective policy page appears.
The Single Sign-On (SSO) provides seamless access to the applications protected through BIG-IP Next Access. This allows administrators to use more modern authentication techniques, such as SAML or OAuth, and translate it to something the back-end application supports, such as Kerberos or Forms.
On the Single Sign-On tab, click Start Creating to select the required authentication type. Available options are Forms, Forms Client-Initiated, HTTP Basic, Kerberos, and OAuth Bearer. When one of the authentication types is selected, its respective configuration page appears. Fill in the required values in the given fields and save the configuration.
Refer to Single Sign-On methods for more information.Click Continue. The Endpoint Security tab of the respective policy page appears.
On the Endpoint Security tab, choose the applicable version from its default setting.
Click Continue. The Resources tab of the respective policy page appears.
The Resources extend BIG-IP Next Access with additional capabilities such as Network Access, Access Control, Identity Providers, and Webtops.
On the Resources tab, click Start Creating to select the required resource. Available options are Access Control List, Network Access, Webtop, and Webtop Section.
Click Continue. The Connectivity tab of the respective policy page appears.
On the Connectivity tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Policy Endings tab of the respective policy page appears.
On the Policy Endings tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Finish. A required access policy is created.
The VPD canvas opens.Drag an empty flow into the VPD canvas.
On the empty flow, click the
icon.
The flow expands so you can edit it.On the VPD side bar, click the
icon, and then drag the Active Directory Authentication rule onto the empty flow.Hover the cursor over the Active Directory Authentication rule and then click the
icon.
The Rule Properties tab of the Rule Configuration page opens.In Name field, type the name of the access profile.
Select Cross Domain Support from the dropdown, this specifies whether AD cross domain authentication support is enabled for AD Auth agent. This setting can be Enabled or Disabled for agent.
Select Complexity check for Password Reset from the dropdown, this specifies whether BIG-IP Next Access performs a password policy check. This setting can be Enabled or Disabled.
Select Show Extended Error from the dropdown, this setting can be Enabled or Disabled. When enabled, this displays the comprehensive error messages generated by the authentication server to show on the user’s Logon page. This setting is only intended for testing purposes in a non-production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks.
Select Max Logon Attempts Allowed from the dropdown, this specifies the number of user authentication logon attempts to allow. You can choose between 1 to 5 and by default 3 attempts are allowed.
Select Max Password Reset Attempts Allowed from the dropdown, this Specifies the number of times BIG-IP Next Access allows the user to try to change password. You can choose between 1 to 5 and by default 3 attempts are allowed.
Click Continue.
The Server Properties tab opens.In the Name field, type a unique name for the authentication server.
For Server Connection, select Pool.
In the Domain Settings:
In Domain Name field, type the name of the Windows domain.
In Timeout field, accept the default value or type a few seconds.
In the Group Cache Lifetime field, type the number of days. The default lifetime is 30 days.
In the Password Security Object Cache Lifetime field, type the number of days. The default lifetime is 30 days.
In the Domain credentials:
In the Admin Username field, type a case-sensitive name for an administrator who has Active Directory administrative permissions.
In the Admin Password field, type the administrator password associated with the Domain Name.
In the Verify Admin Password field, retype the administrator password associated with the Domain Name setting.
KDC Validation: The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller and is responsible for authenticating users. The KDC validation allows you to prevent a KDC spoofing attack.
You configure a KDC validation by importing a keytab file that you exported from the Kerberos KDC. When you enable the KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, the BIG-IP system requests a service ticket on behalf of the user. It validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file. When the validation with the keytab file fails, the KDC server is considered untrusted, and the user is not authenticated.
Note: When you enable KDC Validation, then the below settings are enabled:In the Service Name field, specify the Kerberos service name. The service name should be written as:
service-class/service-hostnameIn the Keytab File field, locate and upload the keytab file containing Kerberos encrypted keys. It contains the service keys that the server uses to authenticate the client.
Click Continue.
The Branches tab of the Rule Configurations page opens.Under Branches, click Create.
The Branches page opens.In Name field, write the branch name.
Under Expression, select a Context, a Condition and a Result for this branch.
Add any (optional) AND/OR branches needed for the policy, and then click Save.
On the Branches tab of the Rule Configuration page, click Finish.
The VPD canvas displays the revised policy.Review the policy in the VPD canvas; then click Save to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.
Using BIG-IP Next Central Manager API¶
The following example creates a new Active Directory Authentication Access policy using the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policiesendpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policiesFor the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "AD_auth", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "AD_auth", "externalServers": [ { "domain": "access.com", "groupCacheTtl": 30, "kdcValidation": false, "name": "AD-Server-8cb3c72a", "psoCacheTtl": 30, "serverSide": {}, "serverType": "ActiveDirectory", "timeout": 15 } ], "policy": { "objectContent": { "macros": [ { "name": "Emptyf260a566", "start": { "caption": "Fallback", "itemType": "aaa-active-directory-auth", "maxLogonAttempt": 3, "maxPwdResetAttempt": 3, "name": "ADrules", "nextItems": [ { "itemType": "terminal-out", "name": "Allow", "caption": "ADsuccess", "expression": "expr {[mcget {session.ad.last.authresult}] == 1}" }, { "caption": "Fallback", "itemType": "terminal-out", "name": "Deny" } ], "pwdComplexityCheck": false, "ruleId": "AD-Authentication-e3a7d06e", "ruleType": "aaa-active-directory-auth", "server": "AD-Server-8cb3c72a", "showExtendedError": false, "upn": false, "isValid": true }, "endings": [ { "name": "Deny", "color": "#D9647A", "default": true }, { "name": "Allow", "color": "#199D4D" } ] } ], "start": { "itemType": "macro-call", "name": "AD_Auth", "macro": "Emptyf260a566", "caption": "Fallback", "nextItems": [ { "itemType": "deny", "name": "Deny", "caption": "Deny" }, { "itemType": "allow", "name": "Allow", "caption": "Allow" } ] }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "AD_auth_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "AD_auth_cap_clientPolicy" }, "policyType": "ConnectivityAccessPolicy", "name": "AD_auth_cap" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.
Important: To fully configure this policy, attach this rule to an application. After attaching to an application, make sure to configure the External or AAA servers as well for Active Directory Authentication. For additional details about managing an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.