Forum Discussion
abdel-ibnou
Altostratus
AltostratusPersist connection based on NTLM username
Hello; Have anyone an idea if the persistence based on NTLM username is possible or not without envolving APM module? by analysing pcap traffic, i've found that the username is interchanged between...
Wait a second... did you said the user is using scripts to authenticate with different users? The tell the dude to add a custom http header in his scripts containing the username. Problem solved... 😉
Cheers, Kai
Kai_Wilke
MVP
MVPHi Abdel-Ibnou,
although its basically a no brainer to extract the DOMAIN\User string out of the NTLM Handshake.
if { [HTTP::header value "Authorization"] starts_with "NTLM TlRMTVNTUAADAAAA" } then {
set ntml_type3 [b64decode [findstr [HTTP::header value "Authorization"] " " 1]]
binary scan $ntml_type3 @28sx2sx2sx2s dom_len dom_off usr_len usr_off
binary scan $ntml_type3 @${dom_off}A${dom_len}@${usr_off}A${usr_len} domain user
log "This is what you are looking for: [string map { \x00 "" } $domain]\\[string map { \x00 "" } $user]"
}
It would probably not work to shift the workload from NODE_A to NODE_B in the case the client is trying to establish a new NTLM session to the non-persisted node. It would most likely cause annoying authentication popups in user-agents, if you would call [LB::detach] and reselect the pool member by assigning a [persist uie label] at this point.
For transparent NTML authentication you may deploy source_ip or cookie bases persistence sessions to make sure the user-agent is persistet independently of the NTLM authentication. But this wont work, if many independent user-agents / client devices are used or if a single user-agent should become distributed based on the username currently used.
You may consider to switch from NTLM to SPNEGO/Kerberos authentication, in this case you could simply call [LB::detach] and reassign the node as you like as soon as you see a ticket flying in. Kerberos does not depend on challenges/responses that require multiple round trips...
Cheers, Kai
- Kai_Wilke
Wait a second... did you said the user is using scripts to authenticate with different users? The tell the dude to add a custom http header in his scripts containing the username. Problem solved... 😉
Cheers, Kai
abdel-ibnouthank you Kai_Wilke the irule script is interessant for retrieving info from Authorization header. sure i will test it but not in this case. I have suggested already that to customer he need to specify something on header for isolating each session. after thinking deeply about this problem, it seems it is not a persistence case (as you mentionned detaching a session and redirect it to another node will trigger a new authentication and it could impact the application behavior). the problem is mainly about taking a LB decision based on the new customized header and keep persisting using the same creteria.
Thank you again for you reply. i will mention your last post as a solution