APM - translating group SIDs extracted from Kerberos token
Hi community,
I am trying to "translate" group SIDs extracted from Kerberos token in APM policy (SWG authentication policy). My authentication logic uses KerberosAuth agent which collects SIDs and puts them into the variable named session.kerberos.last.groupsids. This works well - a user is authenticated and group SIDs are visible. The SID format is well-known from Microsoft docs (eg. S-1-5-32-544 means Local Admins group, etc.). I am looking for a way to translate collected SIDs into "human readable" groups' names - I need to put this into HTTP header in clear text.
I cannot use LDAP/AD query - as it will not show dynamic groups' membership. We are using Authentication Mechanism Assurance (AMA) in Active Directory. AMA adds an administrator-designated, universal group membership to a user's access token when the user's credentials are authenticated during logon by using a certificate-based logon method. One cannot get this information by querying LDAP/AD. This information is only visible in access token (in this case - Kerberos token).
If you want to do the SID translation using PowerShell you can run the following script on your Windows workstation:
$token = [System.Security.Principal.WindowsIdentity]::GetCurrent() # Get current user context
$groupSIDs = $token.Groups # Get SIDs in current Kerberos token
foreach($sid in $groupSIDs) { # for each of those SIDs...
try { # try to..
Write-Host (($sid).Translate([System.Security.Principal.NTAccount])) # translate the SID to an account name
}
catch { # if we can't translate it...
Write-Warning ("Could not translate " + $sid.Value + ". Reason: " + $_.Exception.Message) # Output a warning and the corresponding exception
}
}
I am looking for a way to achieve this using iRule/any other means on F5.
Any hint apprieciated!
Regards
xRes
Should anyone need solution - it appears to be quite simple: there is bult-in agent "AD Group SID Resolver", I am pretty sure it wasn't there a few BIG-IP versions before... or maybe I simply didn't pay enough attention...
Anyway - once you have configured Kerberos Auth agent and set Extract Group SIDs as "enabled", you should add AD Group SID Resolver agent - it will translate Group SIDs into Group Names and store it in session.ad.last.attr.memberOf variable. Then it is easy to inject them into HTTP headers via iRule.