For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

SWG, Kerberos Auth and identify users by credentials

Problem this snippet solves: When using SWG and NTLM Auth it's possible to identify users by IP address or credentials. However, when using Kerberos Auth it isn't possible to identify users by crede...
Published Feb 27, 2019
Version 1.0
authentication
BIG-IP Access Policy Manager (APM)
kerberos
Secure Web Gateway
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 28, 2020

Hi Niels,

I've found your snipped in the hope to find a method to reuse existing APM sessions in the case that Negotiate authentication was used across multiple connections and the client is unable to process http-cookies.

Can you please further elaborate on how the offsets are choosen to differentiate individual clients?

set krbTicketPart [string range [findstr [TCP::payload] "Proxy-Authorization: Negotiate YII" 35 " "] 0 30]

If I b64/ASN.1 decode the krbTicketPart, it includes just the SPNEGO-OID which should be the same for every single client?

Application 0 (2 elem)
  OBJECT IDENTIFIER 1.3.6.1.5.5.2
  [0] (1 elem)
    SEQUENCE (2 elem)
      [0] (1 elem)
        SEQUENCE (4 elem)
          OBJECT IDENTIFIER

Cheers, Kai