For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LordTanamo_3750's avatar
LordTanamo_3750
Icon for Nimbostratus rankNimbostratus
May 14, 2009

Filter users authenticatiing via NTLM (MOSS) by domain name

Hello, I was asked to filter certain users by their domain name (domain2\user or user@domain2) which are prohibited to connect to MOSS from the public internet, even though they may connect to the...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 18, 2009
Hi Jackson,

 

 

HTTP::username will return the parsed and base64 decoded username from a basic auth request. It will not parse the username or domain from an NTLM authentication session.

 

 

Here is a handy site from a guy who helped reverse engineer the NTLM "protocol". He describes the different types of messages used in an NTLM authentication handshake (http://www.innovation.ch/personal/ronald/ntlm.html Click here). There are three different types of messages you would potentially need to handle. Though, I guess you could just handle the first type and prevent anyone from getting past that point to the type 2 (server response) or type 3 (second client request) steps.

 

 

The format for the NTLM Authorization header is: "NTLM ". So you can use HTTP::header value Authorization to get the full value of the header. You can check if it starts with NTLM before trying to parse it:

 

 

 
 when HTTP_REQUEST { 
  
     Check for Authorization header value starting with NTLM before trying to parse the request. 
    if {[string tolower [HTTP::header Authorization]] starts_with "ntlm"}{ 
  
 ...

 

 

Once you've verified it looks like an NTLM auth header, you can try to base64 decode it and then check to see if it contains the domain you want to block. For type 1 messages, the domain name is listed normally. For type 3 messages, there is a null character between each character in the domain (why, I have no idea).

 

 

 
    if {[string match -nocase "*domain2*" [b64decode [getfield [HTTP::header Authorization] " " 2]]]}{ 
  
        Request was using a domain2 account

 

 

[HTTP::header Authorization] returns the raw header value "NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S"

 

[getfield [HTTP::header Authorization] " " 2] returns the base64 encoded token "TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S"

 

b64decode decodes the encoded token and returns the binary content.

 

 

If you need to check the type of NTLM message you can use binary scan:

 

 

 
     Parse the type code (01, 02, 03) in order to determine the message type and corresponding domain name check 
     http://www.innovation.ch/personal/ronald/ntlm.html 
    binary scan [b64decode [getfield [HTTP::header Authorization] " " 2]] H16H2H* unused1 type_code unused2 
  
    log local0. "Type: $type_code"

 

 

Aaron