Forum Discussion
JoeTheFifth
Altostratus
AltostratusReset forgotten user password iRule = Sideband
Hi Guys,
Just discovered the sideband technique. I'm looking into crafting an irule to reset a user password in Active directory. I'm using APM to get the user loginname. BigIP LTM 11.5.4. Here is the workflow of the APM policy:
- Detect the url is a passwordreset url through the landinguri variable (via an irule event)
- Present the user with a loginpage to enter his username
- Do an AD query to get the attributes (email)
- Generate an OTP5. Send an email with the OTP
- present the user with a loginpage to enter the OTP
- Verify the TOP
- Reset the user password in AD with an iRule
- Set the attribute "User must change password at next logon"
- Send the new password to the user's email (fetched in step 3)
- Present the user with a loginpage to enter his user name and password
- Authenticate vai AD Auth13. Do an SSO Mapping to get a kerb ticket
- Let the user in if everything is ok
And the missing steps are:
- Reset the user password in AD with an iRule
- Set the attribute "User must change password at next logon"
Thanks for your help.
JoeTheFifthMy plan:
- Build a lightweight IIS web site on my Web Server
- Add code (C sharp) to reset password and Set the 'Change Password at next logon' based on a string (username) received in the query example :
- Create an irule to perform a sideband connection => send the username and get a success result
- go on with the APM policy if result is OK.
- User will get a random password and will be asked to change it by APM on next logon
What do you guys think?
- JoeTheFifth
I managed to make it work as expected. I made a webservice (iis) and added code to generate a temp randam password, reset the user password using this random temp one, check the box 'user must change password at next logon' and email the temp password to the user. I forked a sideband irule to connect to the webservice through a virtual server and and send the query to trigger the webservice webmethod to do the job. The webservice runs under and app pool account with the necessary rights to perform the password reset and attribute change and return success or failure. The returned data is processed by the irule and a variable is set to ok or ko and is available to APM policy flow. APM policy continues based on the 1/0 result => access/deny
I now have to think of ways to make this secure. The options I see: 1. make the webservice work through https 2. make the webservice accessible to the bigip selfips only 3. Make the webservice authenticated maybe and add a user and password in the sideband connection (not sure this is doable). Please let me know if you have security lockdown options.
Daniel_W__13795Nimbostratus
I recommend you to use cert based authentication to secure the link between F5 and IIS. This is the most secure way and easy to implement. You will find a good cookbook here: https://medium.com/@hafizmohammedg/configuring-client-certificates-on-iis-95aef4174ddb
You will then need to attach the client certificate on the server SSL profile of the sideband VS.
Good luck
- Daniel_W__13795
Just forgot to mention: We got trouble with using SHA1 signed certs. So better go for SHA256 certificates.
- JoeTheFifth
solution is working fine. I even added AD group management in the webservice script for users authenticated through this apm policy. script adds users to a specific group on first logon and apm check the presence of the authenticated users in this group when validating access. So question closed :-)