For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

stackempty_1218's avatar
stackempty_1218
Icon for Nimbostratus rankNimbostratus
Jul 25, 2014

iControl Rest Api Authentication/Authorization with Active Directory

Hello,

 

I noticed that when f5 is set to use remote authentication (active directory), I cannot authenticate to the rest api. I get "no user name {username} found.". But when its change to authenticate locally, the rest api is fine and i can authenticate. Is this a known bug? If so .. any dates to a fix?

 

Thank you.

 

devops
iControl

9 Replies

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Jul 28, 2014

    Working on my side with 11.5.1 HF2. Do you have a remote role configuration ? if no what is your default external users configuration for role and terminal in the configuration ?

     

  • Richard_Tocci_7's avatar
    Richard_Tocci_7
    Historic F5 Account
    Sep 11, 2014

    I've been trying to get something like this to work for my customer, with no success. I tried manipulating the Authorization header, keeping BigIP credentials and AD credentials the same, but while my logic appears sound, I don't think the BigIP is allowing me. I'm using an APM profile to do the auth, but it's just not yet working. I'll post more on DevCentral later if I get it working.

     

  • stackempty_1218's avatar
    stackempty_1218
    Icon for Nimbostratus rankNimbostratus
    Oct 09, 2014

    @arnaud

     

    Yes i have remote role configuration. The user trying to access the rest API is an administrator. Any ideas why this is happening.?

     

    Regards.

     

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Oct 13, 2014

    quick update on this one, there is an existing bug opened for it. remote user authentication is currently working for Icontrol SOAP but not for Icontrol REST.

     

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Oct 13, 2014

    Hi,

     

    there is a workaround in case you are using the REST API not via the management interface.

     

    A virtual server rewrites the Auth header (it´s a basic authentication) to "admin" (passphrase is b64 encoded with basic authentication) after validating the users credentials inside the iRule. This approach will also allow to add client cert based user authentication and a source IP based ACL for REST API access. The request will be forwarded to a self-IP (via node command in iRule).

     

    Thanks, Stephan

     

    • Arnaud_Lemaire's avatar
      Arnaud_Lemaire
      Icon for Employee rankEmployee
      Jan 06, 2015
      Hello Nigel, having a look internaly it seems to be corrected for next upcoming major release.
  • Stefan_Dorobek_'s avatar
    Stefan_Dorobek_
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2015

    Hey everyone,

     

    If someone facing this problems, there is an workaround in version 12.

     

    You need to create the User first local on the device, after that you can use that user to make REST call's just with basic auth. So you need no Post to the login or/and an login reference.

     

    There is a dokumentation with authentication token, but I don't managed to get this to work on an bigip (https://devcentral.f5.com/wiki/icontrol.authentication_with_the_f5_rest_api.ashx) maybe it's only for bigiq.

     

    Regards Stefan