Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Irule: Intercepting NTLM authentication requests and responding with a static service account and password

I have a scenario where I am doing two factor authentication on the front-end of a virtual server, which does not include ntlm authentication. Unfortunately the back-end application requires ntlm authentication with a username and password. The idea until we can put in place a Siteminder federation solution is to authenticate this traffic to the back-end servers by intercepting the authentication requests from the server and providing a standard service account username and password response back to the server. This prevents the user's on the front end to be required to enter this service account manually and also keeps us from having to provide this account to user's. Is it possible to intercept the authentication request for ntlm and respond back with a static username and password. If this is possible could someone please provide some sort of irule code examples of doing this, because I am stuck. I know this is probably not a normal process to do this, but it will buy us some time to put the permanent solution in place. Thanks in advance for the help.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Are you using APM(Access Policy Manager?) If you were to do it, then you can easily enable any sort of n-factor authentication on the front-end virtual and then perform NTLM-based SSO with service account credentials as you've described - that is the best approach.

0
Comments on this Answer
Comment made 22-Apr-2014 by Brett 257
How do you configure the service account piece. I know my way around ltm and gtm very well, but I am very new to the apm aspect.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Pretty straight forward actually. Create an NTLM SSO profile and apply that to your access policy. Take note of the username and password source variables in the SSO profile and create a variable assignment inside the visual policy to statically define these variables and values.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

How do you configure the service account piece.

  1. Create a new NTLM SSO profile. Take note of the username and password source variables in this profile.

  2. Create a new access policy and assign the above SSO profile to it.

  3. Open the visual policy editor for this new access policy and create a Variable Assignment agent. In this case, you'll probably want to set and create the session.logon.last.username and session.logon.last.password variables. Example:

    session.logon.last.username = expr { "bob.user" }    
    session.logon.last.password = expr { "jimbob" } <- set the secure option    
    
  4. After the Variable Assignment agent, add an SSO Credential Mapping agent. Leave the default values.

  5. End with a simple Allow block.

  6. Apply this access policy the the LTM VIP.

When a user accesses this VIP, the access policy will trigger the SSO and use the static values in the variable assignment (the service account) to perform NTLM challenge/response authentication with the web server.

0
Comments on this Answer
Comment made 22-Apr-2014 by Brett 257
Thank you. This makes sense now, I appreciate the help, I will let you guys know the outcome.
0
Comment made 28-Apr-2014 by Brett 257
I got it to work however the only way I could get the variables to work correctly is set them as they are below. When put them in the advanced section as stated above for some reason they would not set properly. Thanks for the help, I really appreciate it. session.logon.last.username = Text "username" [S] session.logon.last.password = return {password}
0
Comment made 29-Apr-2014 by Kevin Stewart
Good catch. Forgot to mention that.
0
Comment made 01-Aug-2017 by cjmalon 80

Hi I have attempted to configure this as described above on an LTM-APM vip I do not see the Server side connection being launched these are the only errors I see in the log.

Wed Aug 2 09:35:39 EST 2017 warning ECOCCSCSAD02 tmm[19610] 01490531 716917c8 Detected invalid host header ().
Wed Aug 2 09:35:39 EST 2017 notice ECOCCSCSAD02 tmm[19610] 01490567 /Common/ESRI_NTLM:Common:716917c8: Session deleted (no_hostname).
Wed Aug 2 09:36:16 EST 2017 notice ECOCCSCSAD02 tmm[19610] 01490521 /Common/ESRI_NTLM:Common:716917c8: Session statistics - bytes in: 0, bytes out: 0

Does anyone have any idea as to why the server side session is not being launched and the meaning of the no_hostname code for the session deleted.

0