APM Sharepoint authentication
Cumulonimbus
MVPHi Stanislas,
No please don't, I have to thank YOU for pointing me in the right direction. Your iRule simply rocks! 🙂
I'm rather unsure if certain SSL-Inspection Proxy may share upstream connections between different internal clients unless "Session-Based-Authentication" support is explicitly requested. At least certain HTTP Proxy will recycle connections. But since HTTP is per RFC a stateless protocol, its always better to prepare for the worst and accept the fact that certain Proxy's may recycle connections, isn't it?
Question: Rumers (e.g. sol36322151) are going around that TMOS v12+ supports TCL 8.5 for iRules. Do you know how to enable TCL8.5? If you have some sparetime left I would be glad if you could open a support call to find out. I don't have a valid support contract in my pocket... 😞
In addition I was able to repro my concerns regarding the mentioned account lockout bypass.
Behavior with APM Profile "Restrict to Single Client IP" Option = DISABLED
1.) Access the site using a legacy client (aka. Basic Auth)
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="HelloWorld - HTTP_REQUEST"
Set-Cookie: MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Server: BigIP
Connection: close
Content-Length: 0
2.) Login as valid user using credential set: test:password1+
HTTP/1.1 302 Redirect
Location: /pages/default.aspx
Server: Microsoft-IIS/8.0
...
Set-Cookie: MRHSession=100f33e0307120fd8f2d0e886cf2b7d1; expires=Wed, 14 Sep 2016 15:48:19 GMT;path=/;secure;HttpOnly
Set-Cookie: LastMRH_Session=100f33e0307120fd8f2d0e886cf2b7d1; expires=Wed, 14 Sep 2016 15:48:19 GMT;path=/;secure;HttpOnly
3.) Login from a different host using credential set: test:password1-
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="HelloWorld - ACCESS_POLICY_COMPLETED"
Set-Cookie: MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Server: BigIP
Connection: Close
Set-Cookie: LastMRH_Session=e443275f;path=/;secure;HttpOnly
Set-Cookie: MRHSession=7884faddb7f22b02f86b38f4e443275f;path=/;secure;HttpOnly
Content-Length: 0
4.) Repeat step 3.) multiple times to lock the user account in your repository
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="HelloWorld - ACCESS_POLICY_COMPLETED"
Set-Cookie: MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Server: BigIP
Connection: Close
Set-Cookie: LastMRH_Session=3c9093b9;path=/;secure;HttpOnly
Set-Cookie: MRHSession=26212f5e9bec540efa77ad963c9093b9;path=/;secure;HttpOnly
Content-Length: 0
5.) Login from a different host using credential set: test:password1+ (aka. you have guessed the correct password!)
HTTP/1.1 302 Redirect
Location: /pages/default.aspx
Server: Microsoft-IIS/8.0
...
Set-Cookie: MRHSession=100f33e0307120fd8f2d0e886cf2b7d1; expires=Wed, 14 Sep 2016 15:48:19 GMT;path=/;secure;HttpOnly
Set-Cookie: LastMRH_Session=100f33e0307120fd8f2d0e886cf2b7d1; expires=Wed, 14 Sep 2016 15:48:19 GMT;path=/;secure;HttpOnly
Behavior with APM Profile "Restrict to Single Client IP" Option = ENABLED
1.) Access the site using a legacy client (aka. Basic Auth)
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="HelloWorld - HTTP_REQUEST"
Set-Cookie: MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Server: BigIP
Connection: close
Content-Length: 0
2.) Login as valid user using credential set: test:password1+
HTTP/1.1 302 Redirect
Location: /pages/default.aspx
Server: Microsoft-IIS/8.0
...
Set-Cookie: MRHSession=100f33e0307120fd8f2d0e886cf2b7d1; expires=Wed, 14 Sep 2016 15:48:19 GMT;path=/;secure;HttpOnly
Set-Cookie: LastMRH_Session=100f33e0307120fd8f2d0e886cf2b7d1; expires=Wed, 14 Sep 2016 15:48:19 GMT;path=/;secure;HttpOnly
3.) Login from a different host using credential set: test:password1-
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="HelloWorld - ACCESS_POLICY_COMPLETED"
Set-Cookie: MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Server: BigIP
Connection: Close
Set-Cookie: LastMRH_Session=e443275f;path=/;secure;HttpOnly
Set-Cookie: MRHSession=7884faddb7f22b02f86b38f4e443275f;path=/;secure;HttpOnly
Content-Length: 0
4.) Repeat step 3. multiple times to lock the user account in your repository
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="HelloWorld - ACCESS_POLICY_COMPLETED"
Set-Cookie: MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Server: BigIP
Connection: Close
Set-Cookie: LastMRH_Session=3c9093b9;path=/;secure;HttpOnly
Set-Cookie: MRHSession=26212f5e9bec540efa77ad963c9093b9;path=/;secure;HttpOnly
Content-Length: 0
5.) Login from a different host using credential set: test:password1+ (aka. you have guessed the correct password!)
HTTP/1.0 302 Found
Server: BigIP
Cache-Control: no-cache, no-store
Connection: Close
Content-Length: 0
Location: /vdesk/hangup.php3
Set-Cookie: LastMRH_Session=e443275f;path=/;secure;HttpOnly
Set-Cookie: MRHSession=7884faddb7f22b02f86b38f4e443275f;path=/;secure;HttpOnly
Note: As you've already pointed out, the Exchange iRule uses an optional
for per-src_ip uuie keying. But even then, it can still be used to by-pass repository account lockouts, if you sit behind the same NAT device (e.g. same conference center, cafe, etc.). The better approach would be to implement a tight account lookout before any credential caches are used.[md5 "$apm_password$src_ip"]
Cheers, Kai