APM - translating group SIDs extracted from Kerberos token

Hi community,

I am trying to "translate" group SIDs extracted from Kerberos token in APM policy (SWG authentication policy). My authentication logic uses KerberosAuth agent which collects SIDs and puts them into the variable named  session.kerberos.last.groupsids. This works well - a user is authenticated and group SIDs are visible. The SID format is well-known from Microsoft docs (eg. S-1-5-32-544 means Local Admins group, etc.). I am looking for a way to translate collected SIDs into "human readable" groups' names - I need to put this into HTTP header in clear text.

I cannot use LDAP/AD query - as it will not show dynamic groups' membership. We are using Authentication Mechanism Assurance (AMA) in Active Directory. AMA adds an administrator-designated, universal group membership to a user's access token when the user's credentials are authenticated during logon by using a certificate-based logon method. One cannot get this information by querying LDAP/AD. This information is only visible in access token (in this case - Kerberos token).

If you want to do the SID translation using PowerShell you can run the following script on your Windows workstation:

$token = [System.Security.Principal.WindowsIdentity]::GetCurrent() # Get current user context
$groupSIDs = $token.Groups # Get SIDs in current Kerberos token
foreach($sid in $groupSIDs) { # for each of those SIDs...
            try { # try to..
                        Write-Host (($sid).Translate([System.Security.Principal.NTAccount])) # translate the SID to an account name
            }
            catch { # if we can't translate it...
                        Write-Warning ("Could not translate " + $sid.Value + ". Reason: " + $_.Exception.Message) # Output a warning and the corresponding exception
            }
}

I am looking for a way to achieve this using iRule/any other means on F5.

Any hint apprieciated!

Regards

xRes