Forum Discussion
NimbostratusDomain authentication is required to access resources
Hi everyone,
We have an issue. When client access resources thru f5, they cannot access the page. Using wireshark we found out there is authentication/authorization issue.
Based on the server side, to access the resources, users domain account should be allowed on the server.
From f5 side we also found out that it cannot access the resources.
Is there a way we can let the F5 Big IP uses a domain account to access these resources?
4 Replies
- Kevin_Stewart
Employee
Questions.
-
Are you using APM?
-
What kind of authentication are the servers expecting?
-
- Kevin_Stewart
By authentication I mean Kerberos, NTLM, Basic, form auth, SecurID, client certificate, etc. - as in how the client presents its identity to the server. For Windows-based auth (Kerberos and NTLM especially), a virtual server in front of an application can break the "natural" authentication between internal clients and internal servers. How you solve that though depends on how you're trying to authenticate.
- Kevin_Stewart
Inline comments.
we need a clientssl and serverssl profile containing same cert right?
No. The F5 is a full proxy, so the SSL session created on the client side (client to F5) is completely separate from the SSL session created on the server side (F5 to server). On the client side, the F5 is the server side of that SSL session. On the server side, the F5 is the client side of that session. So for client side SSL you generally care more about how the SSL works since you need to build an adequate trust and use good ciphers. But on the server side it's usually less important. It's pretty standard to just use the default "serverssl" profile, or "serverssl-insecure-compatible" profile, as certificate trust is generally ignored on the server side and you don't really need as strong of a cipher selection on the inside of the proxy.
if we created a certificate from f5 (.csr) and it will be authenticated by their CA and they will give us (.cer) right?
Yes. A CSR is a certificate signing request - essentially the public key with some additional X.509 information that the CA may choose to include in the certificate that it issues back to the requester. The CA issues a signed certificate, usually in .cer or .crt format that includes the public key and an X.509 structure that defines characteristics of the public key, including subject, issuer, validity times, revocation information, etc.
how about with the server side, what do we need to give them or do they need to create another .csr with the same alternate name we have with f5 big ip?
Again, on the server side it doesn't usually matter. The F5 is the client side of that SSL session, and the default serverssl profile will generally ignore any certificate trust issues.
because right now everytime we try to give the .cer from F5 to that servers, the server cannot see it.
If you put a certificate and private key in the server SSL profile, you're essentially giving it a client certificate, which would only be useful if the server required mutual authentication (requested a client certificate). I'm assuming it doesn't here, so the cert and key would never be used.
- Kevin_Stewart
A 404 error suggests "File not found". Perform a tcpdump on the server side (F5 to server) and see if there's any traffic. I'm guessing there will be, which would likely indicate that the 404 is actually coming from the server itself.
