Forum Discussion
JoeTheFifth
Altostratus
AltostratusReset forgotten user password iRule = Sideband
Hi Guys,
Just discovered the sideband technique. I'm looking into crafting an irule to reset a user password in Active directory. I'm using APM to get the user loginname. BigIP LTM 11.5.4.
Here ...
JoeTheFifthAltostratus
AltostratusMy plan:
- Build a lightweight IIS web site on my Web Server
- Add code (C sharp) to reset password and Set the 'Change Password at next logon' based on a string (username) received in the query example :
- Create an irule to perform a sideband connection => send the username and get a success result
- go on with the APM policy if result is OK.
- User will get a random password and will be asked to change it by APM on next logon
What do you guys think?
- JoeTheFifth
I managed to make it work as expected. I made a webservice (iis) and added code to generate a temp randam password, reset the user password using this random temp one, check the box 'user must change password at next logon' and email the temp password to the user. I forked a sideband irule to connect to the webservice through a virtual server and and send the query to trigger the webservice webmethod to do the job. The webservice runs under and app pool account with the necessary rights to perform the password reset and attribute change and return success or failure. The returned data is processed by the irule and a variable is set to ok or ko and is available to APM policy flow. APM policy continues based on the 1/0 result => access/deny
I now have to think of ways to make this secure. The options I see: 1. make the webservice work through https 2. make the webservice accessible to the bigip selfips only 3. Make the webservice authenticated maybe and add a user and password in the sideband connection (not sure this is doable). Please let me know if you have security lockdown options.
Daniel_W__13795Nimbostratus
I recommend you to use cert based authentication to secure the link between F5 and IIS. This is the most secure way and easy to implement. You will find a good cookbook here: https://medium.com/@hafizmohammedg/configuring-client-certificates-on-iis-95aef4174ddb
You will then need to attach the client certificate on the server SSL profile of the sideband VS.
Good luck
- Daniel_W__13795
Just forgot to mention: We got trouble with using SHA1 signed certs. So better go for SHA256 certificates.
- JoeTheFifth
spot on ! just what I was thinking about this afternoon. thanks for the link.
Rohit_Singla_17Hello Joe, Can you share the irule that you used to trigger the AD queries?
- JoeTheFifth
Sorry for the late reply but it is not only an irule you need. You need: A web service running under an account with password reset delegation in AD A web server with smtp authorization to send emails. An irule to send/receive/process requests. A Sideband VS to send/receive the reset requests A secured implementation so your webservice is not hacked.
- JoeTheFifth
Daniel, did you implement the cert based auth you talk about above? The sideband VS runs on http 80 for the moment. I know there is an https sideband implementation but I haven't tried it yet.
- JoeTheFifth
Ok cert based auth done.
- JoeTheFifth
just make sure you use a SHA256 certificate like Daniel said.