For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wand_97484's avatar
Wand_97484
Icon for Nimbostratus rankNimbostratus
Sep 13, 2013

APM ClientCert to Kerberos Transition - parsing SubjectAlternateName in Variable assign

Hi,   I'm currently setting up different APM profiles to test Kerberos Protocol Transition. LDAP Auth to Kerberos works RSA SecurID to Kerberos works Client Certificate to Kerberos - does not work...
BIG-IP Access Policy Manager (APM)
security
Wand_97484's avatar
Wand_97484
Icon for Nimbostratus rankNimbostratus
Oct 08, 2013

Hi Guys,

just came up with a nasty thing Microsoft throws at us 😄 It looks like the Kerberos Client Principal is build by sAMAccountName@REALM. I stumbled across this, while adding another division to my Virtual Server, which uses different values in the UPN and sAMAccountName field (e.g.: UPN = first.last@maildomain vs. sAMAccountName=last). Couldn't find a reference at Microsoft, but at least it's working with the following variable assignment (the ldap.attr.Name is case sensitive - gave me some headache too):

expr { [mcget {session.ldap.last.attr.sAMAccountName}] }

 

extracting the REALM from the DN remains the same:

expr { [string toupper [string map -nocase {,dc= .} [string range [mcget {session.ldap.last.attr.distinguishedName}] [expr [string first ",DC=" [mcget {session.ldap.last.attr.distinguishedName}] 0] +4] end ] ] ]}

 

Cheers JP