Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Jun 21, 2017

Reset forgotten user password iRule = Sideband

Hi Guys,

 

Just discovered the sideband technique. I'm looking into crafting an irule to reset a user password in Active directory. I'm using APM to get the user loginname. BigIP LTM 11.5.4. Here is the workflow of the APM policy:

 

  1. Detect the url is a passwordreset url through the landinguri variable (via an irule event)
  2. Present the user with a loginpage to enter his username
  3. Do an AD query to get the attributes (email)
  4. Generate an OTP5. Send an email with the OTP
  5. present the user with a loginpage to enter the OTP
  6. Verify the TOP
  7. Reset the user password in AD with an iRule
  8. Set the attribute "User must change password at next logon"
  9. Send the new password to the user's email (fetched in step 3)
  10. Present the user with a loginpage to enter his user name and password
  11. Authenticate vai AD Auth13. Do an SSO Mapping to get a kerb ticket
  12. Let the user in if everything is ok

And the missing steps are:

 

  1. Reset the user password in AD with an iRule
  2. Set the attribute "User must change password at next logon"

Thanks for your help.

 

APM
application delivery
BIG-IP

11 Replies

Sort By
  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Jun 21, 2017

    My plan:

     

    1. Build a lightweight IIS web site on my Web Server
    2. Add code (C sharp) to reset password and Set the 'Change Password at next logon' based on a string (username) received in the query example :
    3. Create an irule to perform a sideband connection => send the username and get a success result
    4. go on with the APM policy if result is OK.
    5. User will get a random password and will be asked to change it by APM on next logon

    What do you guys think?

     

    • JoeTheFifth's avatar
      JoeTheFifth
      Icon for Altostratus rankAltostratus
      Jun 22, 2017

      I managed to make it work as expected. I made a webservice (iis) and added code to generate a temp randam password, reset the user password using this random temp one, check the box 'user must change password at next logon' and email the temp password to the user. I forked a sideband irule to connect to the webservice through a virtual server and and send the query to trigger the webservice webmethod to do the job. The webservice runs under and app pool account with the necessary rights to perform the password reset and attribute change and return success or failure. The returned data is processed by the irule and a variable is set to ok or ko and is available to APM policy flow. APM policy continues based on the 1/0 result => access/deny

       

      I now have to think of ways to make this secure. The options I see: 1. make the webservice work through https 2. make the webservice accessible to the bigip selfips only 3. Make the webservice authenticated maybe and add a user and password in the sideband connection (not sure this is doable). Please let me know if you have security lockdown options.

       

    • Daniel_W__13795's avatar
      Daniel_W__13795
      Icon for Nimbostratus rankNimbostratus
      Jun 23, 2017

      Just forgot to mention: We got trouble with using SHA1 signed certs. So better go for SHA256 certificates.

       

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Jun 25, 2017

    solution is working fine. I even added AD group management in the webservice script for users authenticated through this apm policy. script adds users to a specific group on first logon and apm check the presence of the authenticated users in this group when validating access. So question closed :-)