Forum Discussion
Mike_Harpe_6170
Nimbostratus
NimbostratusDoD CAC authentication using IIS through LTM
I am working with developers and SA people to get an app that uses IIS authentication with LTM.
Basic setup is a virtual server on 443 with a cert on the front end, two servers on the back end being load balanced and running SSL/TLS as well. We want to be able to authenticate the users using the cert on the CAC. The app looks at fields in the CAC cert, specifically the CN.
If we put the app on a FastL4 server the authentication works however we don't have persistence and that causes timeouts and other problems.
I have tried everything I can think of and this just refuses to work. I don't have a ton of experience with CACs so I am sure I am missing something.
Any help is appreciated.
Mike Harpe
US Army Human Resources Command
Fort Knox, KY
7 Replies
mikand_61525I think you can create an IRULE who will copy the necessary data from the clientssl side into the serverssl side. So your IIS-servers will get the proper CN or whatever you need.- mikand_61525Perhaps these links might help?
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/29075/showtab/groupforums/Default.aspx
http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html
http://devcentral.f5.com/wiki/iRules.SSL.ashx
http://devcentral.f5.com/wiki/iRules.X509.ashx 
Mike_MaherMike,
So basically you want to be able to pass a certificate from a client through the LTM to one of the servers on the back side is what I am hearing.
You are going to need to use an iRule for this and put the information into the Header for the server to read. I am doing something like this with one of our applications that runs through an ASM. Your issue is that the connection is proxied and the client certificate is not being passed from the client side of the connection to the server side of the connection.
One other thing you could do is just do the client cert auth on the LTM itself through the Client SSL profile. Again you will need an iRule if you want to check for certain CNs but it is a pretty simple iRule I am also using this logic for a couple applications I run. See reference below.
http://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx
hoolioCirrostratus
If you can't modify the web app to either disable the client cert requirement or parse the client cert from HTTP request headers, you could use try Proxy SSL. It's a feature added in 11.0 which allows the client and server to negotiate the SSL handshake directly. But once the handshake is complete, TMM can decrypt the SSL and inspect/modify/optimize the decrypted application traffic.
The upside is that you can handle mutual auth through LTM without modifying the client or app. The downside is that you're not offloading the SSL from the servers to LTM.
Implementing Proxy SSL on a Single BIG-IP System
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html
Make sure to use 11.1 with the latest hotfix as there have been some recent fixes.
Aaron- Mike_MaherSo not to sidebar this conversation but you peaked my interest with the ProxySSL note. So from reading the link you provided, am I correct in assuming if I do this on a system that has ASM licensed that I can still inspect all data with that module?
- hoolioHi Mike,
That's the goal. I haven't tested it with ASM though.
You should be able to import each server cert/key into a separate server SSL profile, add the default client SSL profile, each of the server SSL profiles, an HTTP profile and an HTTP class to the VS.
If you give it a try let us know what you find. I'll do the same.
Aaron - Mike_MaherI am going to be upgrading from 10.2.0 to 11.1 HF1 over the next month or so, and yes I do have an application that I am going to test this for. I will post a new thread and let you all know how it goes.
