06-Jun-2022 04:25 - edited 28-Mar-2023 08:59
Hello Everyone ,
Today we are gonna discuss on How to utilise windows Virtual Smart Card to Authenticate to BIGIP using CLIENT Authentication with LDAP
Prerequisites :
LDAP Server
Microsoft active directory
Security groups created in Microsoft Active directory
Active Directory Certificate services enabled
OCSP Responder service on Microsoft server ( For Demo I was using 2012 server)
TPM ( Trusted platform module enabled on Windows 10 client)
vSmart Card created using tpvscmanager
certmgr.msc
Make the AD ready , Create the OU , Groups , Users and whatever the remote directory required , From my end , I have created the directory structure in the following way
Domain is LDAPS test.com
Create a Domain certificate which we will be using to sign the client certificate using ADCS , The same can be seen from the below article
Creating an OCSP responder on Microsoft server
Now the next step would be enabling the Virtual smart card for Cert authentication
tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate
BIGIP configuration :
Host is the LDAP server IP or hostname , Port 636 for ldaps communication , Remote directory tree is the directory tree on AD , BInd is the configuration of LDAP bind , SSL enabled for ldaps communication and SSL certifcicate is the root certificate to trust the certificate provided by the LDAP domain
How the process happens ?
OCSP request
OCSP Response
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: nslcd_pam_authz("Users","httpd","","10.144.109.124","")
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: myldap_search(base="DC=ldapstest,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=*Users*))")
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: ldap_result(): CN=Distributed COM Users,CN=Builtin,DC=ldapstest,DC=com
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: myldap_search(base="DC=ldapstest,DC=com", filter="(&(objectClass=shadowAccount)(uid=Users))")
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local debug httpd[19424]: pam_ldap(httpd:account): nslcd authorisation; user=Users
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: ldap_result(): end of results (0 total)
On accepting "ok" BIGIP will be logged in
This is how we will be achieving BIGIP Authentication using Client certificate and LDAP using virtual smart cards