For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

navgup_66025's avatar
navgup_66025
Icon for Nimbostratus rankNimbostratus
Jun 28, 2013

spnego kerberos header vs ntlm header

I have 2 pools for a virtual. PoolA has 2 nodes with kerberos/spnego enabled backend web servers and PoolB has 2 nodes with ntlm enabled backend web servers.

 

I am new to this and looking for some clues how to grab the header info (or error code) and send a client to PoolA or PoolB depending on if he has kerberos ticket or not.

 

Logical flow (option1)

 

User 1 (w/Kerberos tkt) using IE (Integrated Windows Authentication enabled)

 

- goes to virtual address https://app.domi.com

 

>> is directed to PoolA because F5 sees (?? some unique header ??) and redirect traffic there

 

 

User 2 (w/non-kerberos ntlm traffic) using IE (Integrated Windows Authentication enabled)

 

- goes to virtual address https://app.domi.com

 

>> is directed to PoolB because F5 sees (?? some unique header ??) and redirect traffic there

 

 

 

Logical flow (option2)

 

 

User goes to virtual address https://app.domi.com

 

>> is directed to PoolA, server return certain error code (??), tries PoolB

 

 

Questions:

 

- Any clue where to look for unique header ?

 

- Any clue where to look for error code ?

 

 

 

 

 

application delivery
dev
devops
iRules

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 28, 2013
    Because the browser generally sends the same 'Authorization: Negotiate" header for both NTLM and Kerberos requests, I believe the easiest thing would just be to look at the size of the header. Kerberos Authorization headers are MUCH longer than NTLM Authorization headers.
  • navgup_66025's avatar
    navgup_66025
    Icon for Nimbostratus rankNimbostratus
    Jun 28, 2013
    Can you please point me to a sample code? What is the reasonable size of Kerberos header? thanks
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 28, 2013
    Here's a great article that speaks to exactly what I mean: http://blogs.technet.com/b/tristank/archive/2006/08/02/negotiate-this.aspx

    The first thing I would do is start logging HTTP request headers to see what you're actually getting. You'll notice right away what the differences are in size and can tweak your iRule accordingly. Here's a simple logging loop for request headers: 

    
when HTTP_REQUEST {
    foreach x [HTTP::header names] {
        log local0. "header($x) = [HTTP::header $x]"
    }
}

    You're looking for the "Authorization" header. Once you've determined an appropriate size constraint:

    when HTTP_REQUEST {

    if { [HTTP::header exists Authorization] } {

    if { [expr [string length [HTTP::header Authorization]] <= ] } {

    pool NTLM_pool

    } else {

    pool Kerberos_pool

    }

    }

    }

    Give that a try.