Forum Discussion

Martin_Aigner's avatar
Martin_Aigner
Icon for Nimbostratus rankNimbostratus
Dec 23, 2019

Block Basic Auth on Exchange 2016

As we migrated to Modern Auth (OAuth) we'd like to retire legacy authentication protocols on our external interfaces for Exchange

We have a separate iApp for the external traffic where we included an iRule to block Basic Auth requests (this works)

The same rule should also remove the www-authenticate header on responses for supporting Basic in case this is offered by the server after a 401.

 

As this triggers this accidently removes all headers and not only the one containing 'Basic' in the example below

 

Hoping somebody here has done anything similar already in the past?

 

when HTTP_REQUEST {

   if { [string tolower [HTTP::header values "Authorization"]] contains "basic"} {

       drop

   }

}

when HTTP_RESPONSE {

   if {[HTTP::status] == 401} {

  foreach header_name [HTTP::header names] {

      if { [string tolower [HTTP::header value $header_name]] contains "basic"} {

         HTTP::header remove $header_name}

        }

   }

}

No RepliesBe the first to reply