APM V11.1HF1 querying Active Directory

I have tried Cross domain support, but did not look like was doing anything..

 

I did not tried using the user@child.domain.com

 

 

APM is able to reach all domain controllers, but in the configuration I can only select 1 server....unless i am mistaken.

I have a working system with both multi-domain AD and LDAP auth. The principle behind both is the same and I had to be a little creative on this. I'll get some screen shots together later.

I have a document with the steps in but I can't upload to this thread (editor not working for me). Message me your email address and I'll mail it instead.

Hello, not sure if you can answer this question but its regarding user challenge for password change. I have two factor authentication a two separate AD domains for user authentication. All works fine until that time when user password expired and he/she need to change it. Once it expires user no longer able to logon to any resources and no error messages are shown. Its just bring back to logon screen. Do you happen to know where in the core ( or VPE) is the option to prompt user to change password at next logon.

 

Here is log from APM :

 

info apd[6179]: 01490076:6: fc7a9c9e: AD agent: Auth (logon attempt:0): Domain password has been expired and must be changed for 'ext-khud'

 

debug apd[6179]: 01490012:7: fc7a9c9e: AD agent: LEAVE Function executeInstance

 

info apd[6179]: 01490004:6: fc7a9c9e: Executed agent '/Common/bny-apm-citrix_citrix_apm-v2_2_act_active_directory_auth_ag', return value 4

 

debug apd[6179]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "_executeOneAgent()" line: 108 Msg: user input is required

 

debug apd[6179]: 01490011:7: fc7a9c9e: Logon agent: ENTER Function executeInstance

 

debug apd[6179]: 01490012:7: fc7a9c9e: Logon agent: LEAVE Function executeInstance

 

info apd[6179]: 01490004:6: fc7a9c9e: Executed agent '/Common/bny-apm-citrix_citrix_apm-v2_2_act_logon_page_ag', return value 3

 

debug apd[6179]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "_executeOneAgent()" line: 108 Msg: user input is required

 

It should definitely work and user should be prompted to change their password. What exactly are you seeing? Can you try with a plain vanilla non-customized access policy - just logon page, then AD AUth to the domain that has user expired, then allow? That is a good way to find out where and how exactly we should approach troubleshooting this situation further - i.e. if the problem is due to the configuration of the VPE or somewhere below...

it see that we have some KERBEROS issue to negotiate encryption standards while using password change challenge, However we don’t have this problem when we just authenticate users without that prompt

 

Basically it failed on DES from APM to Win2008 server but not sure why its not an issue with just simple authentication though.

 

here is what we were getting :

 

AD module: authentication with '' failed: KDC has no support for encryption type, principal name: ext-johndoe@EXTERNAL.CORP.LOCAL. Please verify Active Directory and DNS configuration. (-1765328370)

Sounds strange - I suggest opening a case with support to investigate this further.