SWG, Kerberos Auth and identify users by credentials

Problem this snippet solves: When using SWG and NTLM Auth it's possible to identify users by IP address or credentials. However, when using Kerberos Auth it isn't possible to identify users by crede...

Published Feb 27, 2019

Version 1.0

authentication

BIG-IP Access Policy Manager (APM)

MVP

Joined May 15, 2019

View Profile

Kai_Wilke

MVP

Jan 28, 2020

Hi Niels,

I've found your snipped in the hope to find a method to reuse existing APM sessions in the case that Negotiate authentication was used across multiple connections and the client is unable to process http-cookies.

Can you please further elaborate on how the offsets are choosen to differentiate individual clients?

set krbTicketPart [string range [findstr [TCP::payload] "Proxy-Authorization: Negotiate YII" 35 " "] 0 30]

If I b64/ASN.1 decode the krbTicketPart, it includes just the SPNEGO-OID which should be the same for every single client?

Application 0 (2 elem)
  OBJECT IDENTIFIER 1.3.6.1.5.5.2
  [0] (1 elem)
    SEQUENCE (2 elem)
      [0] (1 elem)
        SEQUENCE (4 elem)
          OBJECT IDENTIFIER

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

SWG, Kerberos Auth and identify users by credentials

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS