For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Glasgow_1's avatar
David_Glasgow_1
Icon for Nimbostratus rankNimbostratus
May 27, 2015

ASP.NET Forms based Login

Hi all

 

We are having an issue securing an web application secured using ASP.NET Forms based authentication.

 

If we publish the internal site via a Virtual Server everything works fine, however we want to place an Access Policy in front of the application to ensure the authentication is managed on the F5, and upon sucessful authentication the connection is established through to the web app.

 

The following form values are required:

 

  • Username = ctl00$content$txtEmail
  • Password = ctl00$content$txtPassword

And the following hidden fields are used:

 

  • ctl00$content$btnLogin Continue
  • __EVENTVALIDATION {long random string}
  • __VIEWSTATEGENERATOR {shorter random string}
  • __VIEWSTATE {long random string}

The issue I have is the random strings above are related to the session, so I somehow need the F5 to visit the webpage - like the Start URI, and read the values from returned page for __EVENTVALIDATION, __VIEWSTATEGENERATOR and __VIEWSTATE and submit these back when the form is submitted.

 

Thanks David

 

BIG-IP Access Policy Manager (APM)
microsoft
security

3 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    May 27, 2015

    For login forms like those built in ASP.NET where you have some dynamic fields, you'll need to use a Forms - Client Initiated profile instead of the normal Forms profile. The client initiated profile will cause APM to inject some javascript into the page that will populate the fields and then submit the form.

     

    As far as the form parameters you set up in the profile, you should only include the username and password ones. Don't add the eventvalidation or viewstate stuff, since they're generated from the ASP.NET serverside.

     

    Hope this helps.

     

  • David_Glasgow_1's avatar
    David_Glasgow_1
    Icon for Nimbostratus rankNimbostratus
    May 27, 2015

    Hi Michael

     

    Im not currently using the Forms Profile. My concept here is that you can not access the IIS webserver, until you have successfully authenticated against the F5.

     

    The approach we have taken here is:

     

    We have an Access Policy | AAA Servers | HTTP configured as:

     

     

    And an access Policy that looks like this:

     

     

    The HTTP Auth in this Access Policy reference the AAA Server in the previous image.

     

    I'm not sure how I would go about replacing the HTTP Auth with an SSO object? Any assistance you can provide would be greatly appreciated.

     

    Thanks David

     

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    May 27, 2015

    Ah. I misunderstood. Sorry about that. Unfortunately I haven't had any experience trying to do this, as all our auth is to AD.

     

    However, you could try disabling event validation and viewstate on the ASP.NET side (may have to google around to find a good method of doing that. Here's one link I found that may help), which would eliminate the need for those form fields. Then you may be able to do the post successfully. Wouldn't always recommend disabling those things since eventvalidation is there for security and viewstate for performance and state management, but you may be able to disable them for just the login page which might accomplish what you're looking for.