For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rik_Koenig_7777's avatar
Rik_Koenig_7777
Icon for Nimbostratus rankNimbostratus
Dec 06, 2013

SSO across services/pools

I'm running an v10 LTM+APM and I have a MS service manager running in the back end. In their infinite wisdom, MS is running this as a normal port 80 HTTP server, which then calls silverlight to run on TCP/444.

 

When you access this from a non-domain machine, each service (HTTP and silverlight) separately ask for authentication.

 

I'm looking for the best way to collapse this to SSO, without using anything that must be installed on the machine or browser; many clients use machines where they cannot install anything.

 

Should I look at running an all port VIP, with a login page that can pass NTLM to the back end? Or a webapp/webtop?

 

TIA

 

rik

 

BIG-IP Access Policy Manager (APM)
deployment
design
microsoft
security

7 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 06, 2013

    I'm not totally sure what silverlight does from a protocol perspective, but I'm assuming it's not HTTP, but that it rides on HTTP for NTLM authentication. If that's true, then the next question is how you'd establish persistence between the HTTP ans silverlight services. So let's say the client talks to the HTTP service first, authenticates through APM, and establishes a session. If the same browser client is used to talk to silverlight, does it pass HTTP cookies?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 06, 2013

    Great. So is it the same client for both? I'm thinking if you can force both services through a single APM VIP, or use two VIPs and a domain cookie setting in APM, then the MRHSession token from the HTTP service access policy should get consumed by the silverlight access policy and allow you to do SSO to both.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 07, 2013

    It could be possible to do all of this in a single VIP, but it's important to understand the client environment. Is it one client browser accessing both services? Would a cookie generated by one be sent to the other?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 10, 2013

    same browser for both. The Silverlight is displayed inside the webpage.

     

    Yes, but does the Silverlight request carry cookies that are sent to the HTTP client?

     

    Ultimately we need to find some commonality between the two clients requests. If both carry the same cookies to the server, then we can use that to forge some persistence. Otherwise we potentially have to look at other ways.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 11, 2013

    It looks like the cookies are the same. Requests made on either port reference the same WSS_KeepSessionAuthenticated cookie.

     

    Sweet. Okay, then the next step is either to:

     

    1. Create two APM VIPs and let them share the access token via domain cookie setting, or

       

    2. Force both clients to go through the same wildcard port APM VIP (and some iRule logic to disable all other incoming ports).

       

  • Rik_Koenig_7777's avatar
    Rik_Koenig_7777
    Icon for Nimbostratus rankNimbostratus
    Dec 12, 2013

    Thank you.

     

    I have a single wildcard VS set up, with an SSO profile. An iRule filters out undesired ports, and another picks pools based on port.

     

    I'd had an issue with the APM logon page , but I think it's licked.

     

    The only thing left is persistance across pools/ports. My pools are only one node at the moment, I will have to add more now that SSO is functional.