Hi Davey,
in the case you don't use APM to pre-authenticate your users (or you don't want to change the VPE sequence), you may try the iRule below. The iRule parses the username on the wire and sends a 502 response if the given username is found. The provided iRule is able to inspect Basic, NTLM and NEGOTIATE-NTLMSSP authentication schemes...
when RULE_INIT {
set static::username_basic "domain\\username"
set static::username_ntlm "domainusername"
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] equals "/autodiscover/autodiscover.xml" } then {
if { [set temp(auth_header) [string tolower [HTTP::header value Authorization]]] starts_with "basic" } then {
if { [string tolower [HTTP::username]] contains $static::username_basic } then {
HTTP::respond 502 content "Invalid Mailbox"
}
} elseif { $temp(auth_header) starts_with "ntlm" } then {
if { [string tolower [string map [list [binary format H* 00] ""] [b64decode [string range [HTTP::header value Authorization] 5 end]]]] contains $static::username_ntlm } then {
HTTP::respond 502 content "Invalid Mailbox"
}
} elseif { $temp(auth_header) starts_with "negotiate" } then {
if { [set temp(auth_header) [string tolower [b64decode [string range [HTTP::header value Authorization] 10 end]]]] starts_with "ntlmssp" } then {
if { [string tolower [string map [list [binary format H* 00] ""] $temp(auth_header)]] contains $static::username_ntlm } then {
HTTP::respond 502 content "Invalid Mailbox"
}
} else {
You can't inspect Kerberos Session Tickets. But its very unlikely that the client provides one... ;-)
}
}
}
}
Note: You have to change the $static::
variables to match the username. The format of the username have to match the outlined patterns and must be lowercase.
Cheers, Kai