For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

uni's avatar
uni
Icon for Altocumulus rankAltocumulus
Sep 10, 2015

Basic auth to authenticate against AD

Can I use APM to request basic auth for a virtual server, and have the credentials authenticated against AD? The pool member server has no authentication.

 

I've seen Kevin's article https://devcentral.f5.com/articles/configuring-apm-client-side-ntlm-authentication, but need to be able to offer basic auth to the client.

 

I've seen a couple of articles which allude to this ability, but don't provide enough info for me to implement.

 

BIG-IP Access Policy Manager (APM)
security

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 10, 2015

    Hi,

    • Basic Auth is supported by APM and provide username / Password
    • AD Auth is supported by APM which require username / Password

    So Basic Auth against AD is supported..

    Basic auth can be activated in 2 modes:

    • default behavior of APM is
      • redirect user to /my.policy
      • request 401 authentication
      • authenticate provided credentials against authentication server
      • redirect user to Landing URI
    • Clientless mode
      • request 401 authentication within an irule
      • authenticate provided credentials against authentication server
      • allow user if authenticated

    Clientless mode has some limitations:

    • POST are limited to 64KB (extendable to 25MB)
    • not available without irule

    you can use the following irule to use clientless mode

    when RULE_INIT {
   set static::Basic_Realm_Text "Web Services Authentication"
}

when HTTP_REQUEST {    
    set apmsessionid [HTTP::cookie value MRHSession]
    if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}
    if {!($apmstatus)} {
         Insert Clientless-mode header to start APM in clientless mode
        if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"}
    }
}

when ACCESS_POLICY_COMPLETED {
    Authentication request for non bowser user-agent session denied
   if { ([ACCESS::policy result] equals "deny") } {
      ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Connection close
      ACCESS::session remove
      return
    }
}