Hi there, I've got a requirement for a new APM access policy, so I thought I'd field the question here. Has anyone got experience with the following type of requirements? I've got an intranet site, the owners of which can't manage authentication at the web server side (for reasons that we won't go into for now...) So, they want the APM to manage it for them. When a user hits the site/virtual server, they want to APM policy to do the following: When HTTP request is for a particular URi (for example /secure) Check for a currently logged in kerberos or NTLM session token in their session.If there is a kerberos token in the users session, run an AD/LDAP query getting their group memberships, and if they are a member of a particular group, grant them access to the requested resource. If there isn't a kerberos token, send them to an 'F5 Login page' and request AD auth and group checking before letting them in.All other Uri requests should just be allowed through. The authentication controls should only be enacted if the configured URLs are requested. I'm fine with a standard access policy, but I haven't implemented Kerberos/NTLM SSO before. We want to capture the users currently logged on AD credentials and run an AD query on them. Obviously this will only work with domain joined PCs, that's what the second leg of the access policy is there for, to mop up not supported clients/browsers, or external users... I'd be really keen to hear anyone's similar experiences or ideas. As I build up my design and implementation I'll share it here also. Hopefully we might all be able to learn something together! ;) Cheers, Gavin Connell-Otten

Meant to submit this as a discussion - oops!

Quick question. Check for a currently logged in kerberos or NTLM session token in their session. Kerberos is a per-site/name authentication mechanism. Though it would be technically possible (I believe) to do late-session Kerberos auth, the browser will generally either attempt Kerberos authentication with a server on initial access or it won't (when it first accesses a VIP for example). What would you expect initial access to look like, before going to the /secure URI?

Hi Kevin, I'm expecting to have top level/root directory access to the site open to anonymous users, and only apply the access policy to a select collection of sub sites (three sub directories at the moment). For instance, www.intranet.com would be open access, but a request for www.intranet.com/secure would call forth the access policy, log the user in with a SSO mechanism of some description, and if not possible (ie, the user doesn't fillfil the SSO criteria, OR they aren't using a domain joined computer) present a standard F5 managed login page securing access to the resource... Essentially, we want particular users within our organisation to be able to access the /secure sites without having to resubmit their AD credentials, and everyone else to be presented with the login page. This would mean that users with rights can log in to the resource using manually entered credentials when they are offsite, but when they are on-site, it's a seamless SSO experience. We've had one engineer try to implement this solution, but efforts have been fruitless so far. I'm taking over and I want to go back to basics to see what sort of mechanisms support this functionality. I'm open to all ideas! You say that the browser will attempt kerberos authentication on initial connection. Could an access policy be created to cach their credentials at that point, and store them to be used later on in the session, if they request one of the 'secure' URLs? Cheers, Gavin

Anyone got any thoughts? This can't be that unusual a use case can it? Have we bought the wrong product? :S Gavin

Apologies, haven't had a chance to explore some of the more detailed questions. The first, and probably easiest approach is to simply disable the access policy until the user requests a trigger URI. Assign your access policy to the VIP and use an iRule like the following: when HTTP_REQUEST { if { not ( [class match [stringt tolower [HTTP::uri]] starts_with my_uri_dg] ) } { ACCCESS::disable } } The access policy evaluation will only happen once, so once the user triggers it with a special URI request, they'll have a session cookie available for any other special access URIs. Just configure the access policy as you normally would. I'll be working on the second part of your question Monday morning (switching between Kerberos and form logon).

Forum Discussion

Gavin_Connell-O

Nimbostratus

Sep 24, 2013

Authentication access policy for intranet site / APM Module

Hi there,

I've got a requirement for a new APM access policy, so I thought I'd field the question here. Has anyone got experience with the following type of requirements?

I've got an intranet site, the owners of which can't manage authentication at the web server side (for reasons that we won't go into for now...) So, they want the APM to manage it for them.

When a user hits the site/virtual server, they want to APM policy to do the following:

When HTTP request is for a particular URi (for example /secure)
Check for a currently logged in kerberos or NTLM session token in their session.
If there is a kerberos token in the users session, run an AD/LDAP query getting their group memberships, and if they are a member of a particular group, grant them access to the requested resource.
If there isn't a kerberos token, send them to an 'F5 Login page' and request AD auth and group checking before letting them in.
All other Uri requests should just be allowed through. The authentication controls should only be enacted if the configured URLs are requested.

I'm fine with a standard access policy, but I haven't implemented Kerberos/NTLM SSO before. We want to capture the users currently logged on AD credentials and run an AD query on them. Obviously this will only work with domain joined PCs, that's what the second leg of the access policy is there for, to mop up not supported clients/browsers, or external users...

I'd be really keen to hear anyone's similar experiences or ideas. As I build up my design and implementation I'll share it here also. Hopefully we might all be able to learn something together! ;)

Cheers,

Gavin Connell-Otten

application delivery

BIG-IP Access Policy Manager (APM)

26 Replies

Gavin_Connell-O
Nimbostratus
Oct 29, 2013
Hi Kevin - Time constraints have resulted in us approaching professional services for a formal engagement to get to solution in place. Sorry, I should have updated you! Once I've got a solution in place I'll post something here. Maybe it will help someone else :)
Gavin_Connell-O
Nimbostratus
Aug 04, 2014
Thanks a lot for all your help with this question Kevin. We deployed an access policy with the help of F5 professional services from Australia. The end solution relies quite a lot of an iRule to selectively enable/disable the access policy when particular URi's are quested. I've got a basic ACL definied within the irule too. Once a user succsessfully exits the access policy, their APM attribute variables are checked for authorisation purposes. It works really well, and since we had this positive experience I've been able to utilise what I've learned about kerberos SSO to leverage the same framework for three other systems successfully. Loving the APM at the moment ;)

If anyone has any questions on this ballpark, I'd be only to happy to help/share experiences.
- Microgag_61404
  Nimbostratus
  Feb 04, 2015
  Hi Gavin, Would you be able to share on how to configure the "Correct UPN variable" and the "LDAP Query" in detail. Also the irule that are in use. Thanks and Regards
- f5learn_164388
  Nimbostratus
  May 04, 2016
  Hi Gavin We did a setup very similar to yours for the client side Kerberos part and are seeing some issues which I have documented in the link below. I got a response from a forum member regarding caching. Could you please let us know if this is what you too ran into. https://devcentral.f5.com/s/feed/0D51T00006i7dXkSAI Thanks Ski

Forum Discussion

Authentication access policy for intranet site / APM Module

26 Replies

Recent Discussions

F5 not sending traffic to Web pool

disable ciphers 1.0 and 1.1 on ssl client profile

Customer needs an LTM+DNS license. Would we recommend R2600 or R2800?

How to solve "TCP retransmit timeout" & "TCP RST from remote system" issue on BIG-IP LTM?

Error while running ansible

Related Content

OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Application Programming Interface (API) Authentication types simplified

iControl REST Authentication Token Management

F5 Access Policy Authentication Using Domain Prefix