APM Sharepoint authentication
Cumulonimbus
MVPHi Stanislas,
good point to allow the MRHSession_SP persistent cookie logins only to non-browsers. I've already changed my code to include this additional security mechanism (see below). The performance impact off this change shouldn't be that much, since the
HTTP_RESPONSEI don't have any information that ACCESS::session will park the connection till every other TMM has been contacted. I thought its more like a
[table]"Note: When you run the ACCESS::session command, iRule execution on the connection will be suspended until the operation completes only if the session database record is held by another TMM; this situation allows the current TMM to retrieve the data from the other TMM before processing the remainder of the iRule. The ACCESS:: commands are available only if your BIG-IP system is licensed for the BIG-IP APM system."
Do you have additional information on the ACCESS:: connection parking behavior?
when CLIENT_ACCEPTED {
set inject_session_cookie 0
}
when HTTP_REQUEST {
Check if APM session cookie is present and valid
if { ( [set sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and
( [ACCESS::session exists -state_allow $sessionid] ) } then {
Allow the successfully pre authenticated request to pass
} else {
Enumerate explicit MS-OFBA authentication capabilities
Background: https://msdn.microsoft.com/en-us/library/office/cc313069(v=office.12).aspx
if { ( [HTTP::header "X-FORMS_BASED_AUTH_ACCEPTED"] equals "t" ) or
( [HTTP::header "X-FORMS_BASED_AUTH_ACCEPTED"] equals "f" ) } then {
Explicit MSOFBA support detected.
set authschema "ms-ofba"
} else {
Enumerate implicit MS-OFBA authentication capabilities
switch -glob -- [string tolower [HTTP::header "User-Agent"]] "*office protocol discovery*" - \
"*microsoft office*" - \
"*microsoft data access internet publishing provider*" - \
"*non-browser*" - \
"msoffice 12*" - \
"*microsoft-webdav-miniredir*" - \
{*ms frontpage 1[23456789]*} {
Implicit MSOFBA support detected.
set authschema "ms-ofba"
} "*ms frontpage*" {
Legacy client detected
set authschema "legacy"
} "*mozilla*" - \
"*opera*" {
Regular web browser detected.
set authschema "browser"
} default {
set authschema "legacy"
}
}
if { not ( $authschema eq "browser" ) and
( [set sessionid [HTTP::cookie value "MRHSession_SP"]] ne "" ) and
( [ACCESS::session exists -state_allow $sessionid] ) } then {
Restore APM session cookie value
HTTP::cookie insert name "MRHSession" value $sessionid
set inject_session_cookie 1
Allow the successfully pre authenticated request to pass
} else {
if { $authschema eq "ms-ofba" } then {
Send a MSOFBA compatible Access Denied response
if { [HTTP::path] ne "/sp-msofba-form" } then {
HTTP::respond 403 -version "1.1" \
content "Access Denied. Make sure that your client is correctly configured. See https://support.microsoft.com/en-us/kb/932118 for further information." \
noserver \
"Content-Type" "text/html" \
"X-FORMS_BASED_AUTH_REQUIRED" "https://[getfield [HTTP::host] ":" 1]/sp-msofba-form" \
"X-FORMS_BASED_AUTH_RETURN_URL" "https://[getfield [HTTP::host] ":" 1]/sp-msofba-completed" \
"X-FORMS_BASED_AUTH_DIALOG_SIZE" "800x600" \
"Set-Cookie" "MRHSession=deleted;path=/;secure" \
"Set-Cookie" "LastMRH_Session=deleted;path=/;secure" \
"Set-Cookie" "MRHSession=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;secure" \
"Set-Cookie" "LastMRH_Session=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;secure"
}
} elseif { $authschema eq "legacy" } then {
Send a regular Access Denied response
HTTP::respond 403 content "Access denied. An unsupported client access has been detected."
} else {
Let the regular web browser request pass to the APM policy
}
}
}
}
when ACCESS_ACL_ALLOWED {
switch -glob -- [string tolower [HTTP::path]] "/sp-msofba-form" {
Successfully APM authenticated request MS-OFBA request detected. Redirect to MS-OFBA return URL
ACCESS::respond 302 noserver Location "/sp-msofba-completed"
} "/sp-msofba-completed" {
Successfully APM authenticated request MS-OFBA request detected. Sending MS-OFBA return response
ACCESS::respond 200 content "AuthenticatedGood Work, you are Authenticated" noserver
} "*/signout.aspx" {
SharePoint SignOut signature detected. Disconnect session and redirect to APM logout Page
ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"
} "/_layouts/accessdenied.aspx" {
SharePoint AccessDenied signature detected.
if { [string tolower [URI::query [HTTP::uri] loginasanotheruser]] equals "true" } then {
SharePoint LoginAsAnotherUser request detected. Killing the APM session an sending redirect to www-root.
ACCESS::session remove
ACCESS::respond 302 noserver Location "/"
return
}
} default {
Let the authenticated request pass
}
}
when HTTP_RESPONSE {
if { [HTTP::header "Content-Type" ] contains "text/html" } then {
Insert persistent APM session cookie into HTTP response.
HTTP::header insert "Set-Cookie" "MRHSession_SP=$sessionid;Path=/;Secure;HttpOnly"
HTTP::cookie expires "MRHSession_SP" 120 relative
}
if { $inject_session_cookie } then {
Insert APM session cookie into HTTP response.
HTTP::header insert "Set-Cookie" "MRHSession=$sessionid;Path=/;Secure;HttpOnly"
set inject_session_cookie 0
}
}
Note: If the F5 exchange irule uses
to offload authentication request, then its a even a bigger issue... 😞 The problem is, that you can easily bruteforce AD accounts if the offloading cache is not protected by an account lockout mechanism. You can guess passwords even if the account is already locked out and if the correct password is found you are allowed to enter or at least get a slightly different error message. A max session timeout period of 1 hour wouldn't make it better if SmartPhones polls the mailbox 24/7, isn't it?[ACCESS::user getsid $user_key]
Cheers, Kai