Forum Discussion

Russell_77729's avatar
Russell_77729
Icon for Nimbostratus rankNimbostratus
Feb 18, 2015

Get username in iRule without APM

I have an SSO process running in an ASP webpage in IIS. This is the only thing this server does so I was thinking about replacing this process with an iRule. The thing that has me stumped is how to retrieve the username in the iRule to pass on to the web service. From what I am seeing, there are solution to do this when using APM, but I'm hoping to not involve another module and stick with LTM only if possible. Is this even remotely possible?

 

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
microsoft
security

5 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Feb 18, 2015

    How does the SSO process running in the ASP webpage in IIS get the username? Probably the best thing is to analyze what it does first, then see how to emulate or improve on that.

     

    • Russell_77729's avatar
      Russell_77729
      Icon for Nimbostratus rankNimbostratus
      Feb 18, 2015
      It uses windows integrated authentication in IIS to retrieve DOMAIN\username then strips "DOMAIN\" to be left with just the username with the following VB code. Dim loginName As String = Request.LogonUserIdentity.Name.ToString.Split("\"c)(1).Replace(" "c, "_")
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Feb 19, 2015

    OK, so you'd need to write a server implementation of NTLM authentication in an iRule. This is difficult and probably not really a good idea because of the complexity. APM does provide this mechanism to validate the creds via NTLM, however with APM we don't have any access to the password because of how NTLM works (it's technically impossible). To get around this, SAML or kerberos is usually used. Like this:

     

    • User authenticates to APM via IE w/NTLM automatic-authentication in Local Intranet.
    • User now has APM session with their username (username is grabbed from NTLM, but not the PW)
    • APM SSOs the user to some other IIS backend via Kerberos S4U, using the username and a service account

      •  

    • Russell_77729's avatar
      Russell_77729
      Icon for Nimbostratus rankNimbostratus
      Feb 19, 2015
      Is there a deployment guide, iApp, or example you can point me to for this?
  • tiwang_122270's avatar
    tiwang_122270
    Icon for Nimbostratus rankNimbostratus
    Feb 19, 2015
    ps: do you wan't to run without apm because of the java-stuff or why? if you run some dedicated client instead of a browser you have the option to run "client-less" trough the apm br /ti