Forum Discussion
NimbostratusGet username in iRule without APM
I have an SSO process running in an ASP webpage in IIS. This is the only thing this server does so I was thinking about replacing this process with an iRule. The thing that has me stumped is how to retrieve the username in the iRule to pass on to the web service. From what I am seeing, there are solution to do this when using APM, but I'm hoping to not involve another module and stick with LTM only if possible. Is this even remotely possible?
5 Replies
How does the SSO process running in the ASP webpage in IIS get the username? Probably the best thing is to analyze what it does first, then see how to emulate or improve on that.
Russell_77729It uses windows integrated authentication in IIS to retrieve DOMAIN\username then strips "DOMAIN\" to be left with just the username with the following VB code. Dim loginName As String = Request.LogonUserIdentity.Name.ToString.Split("\"c)(1).Replace(" "c, "_")
OK, so you'd need to write a server implementation of NTLM authentication in an iRule. This is difficult and probably not really a good idea because of the complexity. APM does provide this mechanism to validate the creds via NTLM, however with APM we don't have any access to the password because of how NTLM works (it's technically impossible). To get around this, SAML or kerberos is usually used. Like this:
- User authenticates to APM via IE w/NTLM automatic-authentication in Local Intranet.
- User now has APM session with their username (username is grabbed from NTLM, but not the PW)
- APM SSOs the user to some other IIS backend via Kerberos S4U, using the username and a service account
- Russell_77729Is there a deployment guide, iApp, or example you can point me to for this?
tiwang_122270ps: do you wan't to run without apm because of the java-stuff or why? if you run some dedicated client instead of a browser you have the option to run "client-less" trough the apm br /ti
