Forum Discussion

bdavis's avatar
bdavis
Icon for Nimbostratus rankNimbostratus
Apr 22, 2014

Irule: Intercepting NTLM authentication requests and responding with a static service account and password

I have a scenario where I am doing two factor authentication on the front-end of a virtual server, which does not include ntlm authentication. Unfortunately the back-end application requires ntlm authentication with a username and password. The idea until we can put in place a Siteminder federation solution is to authenticate this traffic to the back-end servers by intercepting the authentication requests from the server and providing a standard service account username and password response back to the server. This prevents the user's on the front end to be required to enter this service account manually and also keeps us from having to provide this account to user's. Is it possible to intercept the authentication request for ntlm and respond back with a static username and password. If this is possible could someone please provide some sort of irule code examples of doing this, because I am stuck. I know this is probably not a normal process to do this, but it will buy us some time to put the permanent solution in place. Thanks in advance for the help.

 

APM
application delivery
design
devops
iRules
LTM
security

3 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Apr 22, 2014

    Are you using APM(Access Policy Manager?) If you were to do it, then you can easily enable any sort of n-factor authentication on the front-end virtual and then perform NTLM-based SSO with service account credentials as you've described - that is the best approach.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 22, 2014

    Pretty straight forward actually. Create an NTLM SSO profile and apply that to your access policy. Take note of the username and password source variables in the SSO profile and create a variable assignment inside the visual policy to statically define these variables and values.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 22, 2014

    How do you configure the service account piece.

    1. Create a new NTLM SSO profile. Take note of the username and password source variables in this profile.

    2. Create a new access policy and assign the above SSO profile to it.

    3. Open the visual policy editor for this new access policy and create a Variable Assignment agent. In this case, you'll probably want to set and create the session.logon.last.username and session.logon.last.password variables. Example:

      session.logon.last.username = expr { "bob.user" }    
session.logon.last.password = expr { "jimbob" } <- set the secure option

    4. After the Variable Assignment agent, add an SSO Credential Mapping agent. Leave the default values.

    5. End with a simple Allow block.

    6. Apply this access policy the the LTM VIP.

    When a user accesses this VIP, the access policy will trigger the SSO and use the static values in the variable assignment (the service account) to perform NTLM challenge/response authentication with the web server.