AD Group Resource Assign APM

You will need to have an AD Query after your AD Auth Action. The AD Query will populate the variable needed to do the assignments.

Can you give that a try and see if you have better results?

The log statement saying "LTM+APM_Mode" means that no resources were assigned to the session. If you still have issues can you please post screenshots of the config inside the assigns?

-Seth

Thanks for your response Seth. I was wondering what the LTM+APM means but makes sense now, thanks.

I did try with the AD query in before but I wasn't having any luck (_Access was denied by the access policy. This may be due to a failure to meet access policy requirements_)

I have attached a screenshot of how I setup the AD query and the resource assign. I left the search filter blank because I believe that way it just retrieves all the groups? To give you some background on what I want to do. At the beginning of the policy editor, I want to have multiple URI's, each URI will be it's own branch on the policy editor. Then, I want to create a macro for the AD query and resource assign. Then I want each branch to be able to call the macro to assign the resources for it's webtop. Not sure how that will work for the Webtop, I don't think you get a generic Webtop that can be used in the macro and where you would assign the Webtop?

Many thanks

You really need to review the logs to see what is happening. Please turn the log level to "Informational" if it is not already and run a test. Look for the session ID in the logs and follow the VPE flow by the log statements. If you don't see anything that stands out please post the logs (just for the session that failed) here if you want and we can give them a look.

-Seth

Thanks Seth

I have been looking at the logs and it seems that it fails on the AD Query:

Feb 10 14:50:44 testapm1 notice apd[21572]: 01490005:5: ad9e33e0: Following rule 'fallback' from item 'AD Query' to ending 'Deny'

Feb 10 14:50:44 testapm1 notice apd[21572]: 01490102:5: ad9e33e0: Access policy result: Logon_Deny

Right after that, it returns:

Feb 10 14:50:44 testapm1 info apd[21572]: 01490004:6: ad9e33e0: Executed agent '/Common/Access-Policy_end_deny_ag', return value 0

Then it starts returning all the details about my account (act_active_directory_query_ag.attr.xxxxxx) After it's finished returning all the AD session variables, the logs stop. That's when I get an error on the web page.

It's a bit strange, because for some reason it fails on the AD query but then it returns all the details about my account after that. I would have thought if it failed on the AD Query then it would stop right there because that branch goes straight to a Deny.

I actually managed to get it working now. I ended up moving AD group resource assignment to the fallback leg of the AD Query. Not sure if that is by design or not.

Thank you for your help.