Jump to content

Recommended Posts

Posted

So, I got a little further on this.

Workflow

Via postman i'm getting a access token directly via the app registration.

When I have the token, i'm sending it via the Authorization Header to the NetScaler. 

The NetScaler is configured with the same app registration.

 

I get the following Error in NS.LOG and NSTRACE (see screenshot):

"AAATM Bearer: No token or Error trying to evaluate username/pwd for bearer auth"
"OAUTH: JWT: Failed to verify signature on token, used algorithm is RS256"
"OAUTH: failed to verify JWT; action used: AAA-AS-OAUTH_WEBAPP"
"NS Oauth: Failed to verify Bearer token with error <1310743>"

Configuration

add authentication OAuthAction AAA-AS-OAUTH_WEBAPP -authorizationEndpoint "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize" -tokenEndpoint "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token" -clientID <clientid> -clientSecret <clientsecret> -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2024_04_05_07_15_01 -OAuthMiscFlags Base64Encode_Authorization_With_Padding -CertEndpoint "https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys" -userNameField OnpremisesSAMaccountname -allowedAlgorithms HS256 RS256 RS512
add authentication Policy ap-azuread-test-oauth -rule true -action AAA-AS-OAUTH_WEBAPP

add tm sessionAction spr-oauth-test -defaultAuthorizationAction ALLOW -ssoCredential PRIMARY -ssoDomain domain.local
add tm sessionPolicy spo-aaa-oauth-test true spr-oauth-test

add authentication vserver vs-aaa-test SSL 0.0.0.0
bind authentication vserver vs-aaa-test -policy ap-azuread-test-oauth -priority 100 -gotoPriorityExpression END
bind authentication vserver vs-aaa-test -policy spo-aaa-oauth-test -priority 100 -gotoPriorityExpression NEXT

add lb vserver vs-lb-test-oauth SSL 1.2.3.4 443 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 30 -cltTimeout 180 -authn401 ON -authnVsName vs-aaa-test

Conclusion so far

It look like the aaa vserver is not receiving the Bearer token (access token) at all. 

I need to extract the access token and pass it on to the aaa vserver.

I cannot find any traffic that sends the bearer token to the microsoft app registration.

 

 

image.png

image.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...