SWG, Kerberos Auth and identify users by credentials

Problem this snippet solves: When using SWG and NTLM Auth it's possible to identify users by IP address or credentials. However, when using Kerberos Auth it isn't possible to identify users by crede...
Published Feb 27, 2019
Version 1.0
authentication
BIG-IP Access Policy Manager (APM)
kerberos
Secure Web Gateway
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 29, 2020

Digged a little bit further into reusing existing APM sessions in the case that Negotiate-Kerberos is used.

 

Without fully decoding the Negotiate-Kerberos message in front of APM (including decrypting session ticket information, extracting session specific keys and finally verifying the Message-Authenticator), its not possible to securely identify the user.

 

I'm working right now on an APM policy that lookups existing APM session for the same user directly after Kerberos-Auth action is complete and then starts to copy session information from the existing APM session to speed up VPE processing. After VPE is finished, an iRule will destroy the just created APM session after HTTP_RESPONSE and then steer subsequent request over the same TCP connection to the old APM session. Not ideal, but seems to be the best what can be done... :-(

 

Cheers, Kai