search

joel74 / POSH-F5-BIGIP

A set of PowerShell modules for working with F5 BIGIP devices using the iControlREST API
14 stars 8 forks source link

Authentication problems #1

Closed codepoke-kk closed 6 years ago

codepoke-kk commented 6 years ago

I'm a flat, cold newbie at f5 and very experienced at PowerShell, so I'm sure I'm doing something very wrong, but I have to start somewhere. I have read access to our company LTM, and am attempting to pull pool data via rest with PowerShell. I've tried the recommended method for creating the basic authentication credential and a couple other methods that usually work for me. I'm 401 denied every time. I note when I log in through the browser interface, I'm sent to tmui/login.jsp, if that helps.

Some reading on your site you causes me to wonder whether I don't need to be using token-based authentication. Our LTM is set up to authenticate against Active Directory, and one of your pages says tokens are required with AD. I don't see token-based supported in this library, but I'm pretty confused, so who knows.

$f5 = 'OurLTM'

Method 1

$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential "username", $secpasswd

Method 2

$mycreds = Get-Credential $env:USERNAME

Method 3

$mycreds = $host.ui.PromptForCredential("CORP Credentials", "Please enter your CORP user name and password.", $env:USERNAME, "NetBiosUserName")

Fails using all 3 methods

New-F5Session -LTMName $f5 -LTMCredentials $mycreds

Invoke-F5RestMethod : "401 F5 Authorization Required: Authorization failed: user=https://localhost/mgmt/shared/authz/users/username resource=/mgmt/tm/sys/version verb=GET uri:http://localhost:8100/mgmt/tm/sys/version/ referrer:10.xx.xx.xx sender:10.xx.xx.xx

codepoke-kk commented 6 years ago

First blunder. I posted this under Big-IP, but I'm using the LTM code. Sorry.

Second, on looking more closely at the error, it does seem to be looking for a locally defined ID when I'm in need of the AD identity. The username in the error URL is the correct one, so it makes sense I'm always going to fail.

Thanks.

joel74 commented 6 years ago

This project is meant to ultimately replace the LTM project, so I'm glad you posted here. Means I'm getting a little traction. :)

I've got a lab box running v13 that I'd set up with AD integration, and I was able to successfully authenticate against it using the following lines:

$secpasswd = ConvertTo-SecureString 'super secure password' -AsPlainText -Force
$credsAD = New-Object System.Management.Automation.PSCredential "jnewton", $secpasswd
$F5_v130_AD = New-F5Session -LTMName 192.168.1.101 -LTMCredentials $credsAD -Default -PassThru -TokenLifespan 20000

In your AD setup in the F5, what level access do external users have and do they have TMSH access?

codepoke-kk commented 6 years ago

The addition of those params did not change anything. On our system, external users have No Access and terminal access is denied. That doesn't sound promising. ;-) I'm not sure what TMSH is, or how to check it, unless it's the terminal access. And I'm not sure what to tell my LTM Admins.

joel74 commented 6 years ago

Well, I think you have your answer there. Users using iControlREST need access to the Traffic Management SHell, as the iControlREST API is really just a wrapper for executing TMSH commands.

https://devcentral.f5.com/articles/demystifying-icontrol-rest-part-1-understanding-the-request-uri