Forum Discussion

Mike_Harpe_6170's avatar
Icon for Nimbostratus rankNimbostratus
Jan 31, 2012

DoD CAC authentication using IIS through LTM

I am working with developers and SA people to get an app that uses IIS authentication with LTM.



Basic setup is a virtual server on 443 with a cert on the front end, two servers on the back end being load balanced and running SSL/TLS as well. We want to be able to authenticate the users using the cert on the CAC. The app looks at fields in the CAC cert, specifically the CN.



If we put the app on a FastL4 server the authentication works however we don't have persistence and that causes timeouts and other problems.



I have tried everything I can think of and this just refuses to work. I don't have a ton of experience with CACs so I am sure I am missing something.



Any help is appreciated.



Mike Harpe


US Army Human Resources Command


Fort Knox, KY


7 Replies

  • I think you can create an IRULE who will copy the necessary data from the clientssl side into the serverssl side. So your IIS-servers will get the proper CN or whatever you need.
  • Perhaps these links might help?








  • Mike,


    So basically you want to be able to pass a certificate from a client through the LTM to one of the servers on the back side is what I am hearing.



    You are going to need to use an iRule for this and put the information into the Header for the server to read. I am doing something like this with one of our applications that runs through an ASM. Your issue is that the connection is proxied and the client certificate is not being passed from the client side of the connection to the server side of the connection.



    One other thing you could do is just do the client cert auth on the LTM itself through the Client SSL profile. Again you will need an iRule if you want to check for certain CNs but it is a pretty simple iRule I am also using this logic for a couple applications I run. See reference below.




  • If you can't modify the web app to either disable the client cert requirement or parse the client cert from HTTP request headers, you could use try Proxy SSL. It's a feature added in 11.0 which allows the client and server to negotiate the SSL handshake directly. But once the handshake is complete, TMM can decrypt the SSL and inspect/modify/optimize the decrypted application traffic.



    The upside is that you can handle mutual auth through LTM without modifying the client or app. The downside is that you're not offloading the SSL from the servers to LTM.



    Implementing Proxy SSL on a Single BIG-IP System




    Make sure to use 11.1 with the latest hotfix as there have been some recent fixes.



  • So not to sidebar this conversation but you peaked my interest with the ProxySSL note. So from reading the link you provided, am I correct in assuming if I do this on a system that has ASM licensed that I can still inspect all data with that module?



  • Hi Mike,



    That's the goal. I haven't tested it with ASM though.



    You should be able to import each server cert/key into a separate server SSL profile, add the default client SSL profile, each of the server SSL profiles, an HTTP profile and an HTTP class to the VS.



    If you give it a try let us know what you find. I'll do the same.



  • I am going to be upgrading from 10.2.0 to 11.1 HF1 over the next month or so, and yes I do have an application that I am going to test this for. I will post a new thread and let you all know how it goes.