Forum Discussion
AltostratusBigIP User SSL Authentication
Hi Guys, Let's start with the setup: 1 Domain Controller (also acting as CA) 2 IIS servers 1 BigIP 1 Windows PC
I want to use SSL to authenticate the user using the windows PC. I set up an IIS Site = > using an a domain certificate. I Create a certificate for the user. I test the setup connecting the user pc directly to the IIS servers. The user loads the website. He is presented with a certificate choice popup. He chooses the certificate and logs on the site successfully. Now comes in the BigIP :-) I set up an https VS. with a client and server SSL Profile. BigIP version 10.x The User loads the site and gets 403 - Forbidden: Access is denied. I understand I'm getting this because the website is configured to require the user certificate but it is not getting the user certificate. The VS is a standard SSL HTTPS VS using a client and a server SSL profile. So the BigIP is doing a decryption/encryption operation and presenting the server ssl profile to the IIS server just to encrypt the traffic and not to authenticate the user. I can make it work only if I use the VS type Performance (HTTP) which is a passthough type so the client PC is talking directly to the IIS server and presenting the user certificate to the IIS server. I Also understand that there are authentication modules which can make this work. So My questions: 1. Am I missing anything 2. Am I right in thinking the only way to make this work without any authentication module is to create a performance(HTTP) VS?
Thanks for your time.
12 Replies
This use case (sending end-user client certificates to a backend server while still using BIG-IP client/server SSL profiles) can be implemented in 11.x by using the "Proxy SSL" feature.
See documentation here:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html
Also be aware of a bug in earlier 11.x versions. It's corrected in later releases:
https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14571.html
JoeTheFifthThat's good info there thanks. I was testing on version 10 VE. My client does have version 11 in production so this will fix it. But I guess I will have to use two different VSs for our needs since we are only using 1 VS for 4 https sites. and one of these sites will be configured to authenticate users based on SSL certificate. By this I mean if we check the ssl proxy checkbox on the ssl profiles this will break the other 3 sites. what do you think?
- Different virtuals gives you more cipher options, statistics, and flexibility of general configuration. For sites that don't need client certificates, don't use proxy-ssl.
- JoeTheFifthThanks. Is your last sentence a recommendation/best practice or a constraint? Just to be sure about the arguments the client is waiting for. I will test this though.
- JoeTheFifth
I downloaded the Virtual Edition 11.3 available on the F5 site. Unfortunately it has the bug you mentioned and no hotfix available. According to the link you posted the fix is only available in version 1.4. My client is using 11.2. So I guess we're toast. We will only be able to use the performance type vs.
- nitass
Employee
I downloaded the Virtual Edition 11.3 available on the F5 site. Unfortunately it has the bug you mentioned and no hotfix available.
can't you not use tls 1.1 and 1.2?
anyway, i understand there is engineering hotfix for 11.3.0. you may open a support case to check.
- JoeTheFifth
how to do that on the LTM. force not using tls 1.1 and 1.2??? I'm not an LTM expert :-) This might lead to a compatibility issue on client browsers I guess !
- nitass
how to do that on the LTM. force not using tls 1.1 and 1.2???
you can use cipher string.
e.g.
How to force client ssl profile to use tls 1.0 only?
https://devcentral.f5.com/questions/how-to-force-client-ssl-profile-to-use-tls-10-onlyThis might lead to a compatibility issue on client browsers I guess !
yes, it is possible.
- JoeTheFifth
thanks. I will check that. One thing is bothering me though. I checked the VS config of my client (version 11.2). The 'Proxy SSL' option is not checked and now the Client Authentication using SSL is working !!! It was not working last Friday :-( is it possible this works without checking the Proxy SSL option mentionned in the first reply to my post.
- nitass
is it possible this works without checking the Proxy SSL option mentionned in the first reply to my post.
clientssl and serverssl can do client and server authentication. proxy ssl comes when you want client to be authenticated by server directly.
SSL Profiles Part 8: Client Authentication by John Wagnon
https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authenticationSSL Profiles Part 9: Server Authentication by John Wagnon
https://devcentral.f5.com/articles/ssl-profiles-part-9-server-authenticationsol13385: Overview of the Proxy SSL feature
https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.htmlhope this helps.
- JoeTheFifth
mmm how do you explain the fact that the proxy ssl option is not checked and the user ssl authentication is working? if I understand the implementation of this option you have to check it on both profiles if you want the server to authenticate the user using an ssl certificate...
- JoeTheFifthAny volunteers? does direct client ssl authentication work without the proxy ssl option checked? I'm seeing mixed results on version 11.2.1 build 1225.0 Hotfix HF10, physical appliance.
