Closed codepoke-kk closed 6 years ago
First blunder. I posted this under Big-IP, but I'm using the LTM code. Sorry.
Second, on looking more closely at the error, it does seem to be looking for a locally defined ID when I'm in need of the AD identity. The username in the error URL is the correct one, so it makes sense I'm always going to fail.
Thanks.
This project is meant to ultimately replace the LTM project, so I'm glad you posted here. Means I'm getting a little traction. :)
I've got a lab box running v13 that I'd set up with AD integration, and I was able to successfully authenticate against it using the following lines:
$secpasswd = ConvertTo-SecureString 'super secure password' -AsPlainText -Force
$credsAD = New-Object System.Management.Automation.PSCredential "jnewton", $secpasswd
$F5_v130_AD = New-F5Session -LTMName 192.168.1.101 -LTMCredentials $credsAD -Default -PassThru -TokenLifespan 20000
In your AD setup in the F5, what level access do external users have and do they have TMSH access?
The addition of those params did not change anything. On our system, external users have No Access and terminal access is denied. That doesn't sound promising. ;-) I'm not sure what TMSH is, or how to check it, unless it's the terminal access. And I'm not sure what to tell my LTM Admins.
Well, I think you have your answer there. Users using iControlREST need access to the Traffic Management SHell, as the iControlREST API is really just a wrapper for executing TMSH commands.
https://devcentral.f5.com/articles/demystifying-icontrol-rest-part-1-understanding-the-request-uri
I'm a flat, cold newbie at f5 and very experienced at PowerShell, so I'm sure I'm doing something very wrong, but I have to start somewhere. I have read access to our company LTM, and am attempting to pull pool data via rest with PowerShell. I've tried the recommended method for creating the basic authentication credential and a couple other methods that usually work for me. I'm 401 denied every time. I note when I log in through the browser interface, I'm sent to tmui/login.jsp, if that helps.
Some reading on your site you causes me to wonder whether I don't need to be using token-based authentication. Our LTM is set up to authenticate against Active Directory, and one of your pages says tokens are required with AD. I don't see token-based supported in this library, but I'm pretty confused, so who knows.
$f5 = 'OurLTM'
Method 1
$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential "username", $secpasswd
Method 2
$mycreds = Get-Credential $env:USERNAME
Method 3
$mycreds = $host.ui.PromptForCredential("CORP Credentials", "Please enter your CORP user name and password.", $env:USERNAME, "NetBiosUserName")
Fails using all 3 methods
Invoke-F5RestMethod : "401 F5 Authorization Required: Authorization failed: user=https://localhost/mgmt/shared/authz/users/username resource=/mgmt/tm/sys/version verb=GET uri:http://localhost:8100/mgmt/tm/sys/version/ referrer:10.xx.xx.xx sender:10.xx.xx.xx