Cirrostratuswe have integrated f5 apm with active directory and we have many other devices also integrated with AD, when an account is locked out in AD via devices other than f5, we are able to catch them using "Caller Computer Name" parameter which shows up the actual source of the lockout. This parameter is blank when F5 sends the log to AD, it should insert F5 hostname here. how can this be achieved?
There is unfortunately no configuration like this in APM. Please submit a support ticket to request this enhancement.
Also, do you know where exactly in the kerberos communication that this happens? Googling reveals that this parameter is also called "Source Workstation".
CirrostratusHi,
it shows up in "Caller Computer Name:" Also, the microsoft event id for this is 4740, you can check -
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
Thanks for the response.
MVPHi Lucas,
a Kerberos message may contain the "HostAddress" field to inform the KDC about the origin host of the AS request as outlined in RFC1510 Section 8.1 and RFC4120 Section 5.2.5. Microsoft uses this value as "Caller Computer Name" for various purposes.
Cheers, Kai
CirrostratusHi Kai, The kerbaros message informs about the failed login, it does not tell if the account was locked by that event.
Thanks
MVPHi Nuruddin,
Kerberos does support a message type to inform the client (aka. your F5) that an account is currently locked out. You can display this message on your login page by enabling "Show Extended Error" option on your AD-Auth action item, or by enumeration the "session.ad.last.errmsg" value within a branch-rule to display a more user friendly error page if you like. You may also perform an AD-Query action right before your AD-Auth action to retrive the current account lockout status (aka. doing some math on the badPwdCount, badPasswordTime and lockoutTime attributes) before initiating the AD-Auth. This approach allows you to configure an AD-independent account lockout threshold on your F5 (slightly lower than AD), so that your F5 will effectively not lockout your internal user accounts anymore.
The "HostAddress" field I was refering to in my previous post, is an informational field used by Kerberos to include the name of the computer system from which the authentication request was initiated. This field will be used by your domain controller to generate a more detailed Err4740 log entry. The difference between your F5 and a Windows system is, that the Windows system will send its NETBIOS name to the KDC but the F5 doesn't. Thats why you will see just an empty "Caller Computer Name" value in your Err4740 log entries.
As Lucas alrady mentioned: The best thing you can do now is to open a support ticket and ask F5 to include support for the "HostAddress" field, so that your F5 can be easily identified as the source of the account lockout. As a workaround for now, you have to search the last related Err4771 log message (aka. pre-authentication failed) and then simply use the included "Client Address" filed to identify your F5 as the origin of the authentication request that has locked out the account.
Cheers, Kai
