Forum Discussion

dubdub's avatar
dubdub
Icon for Nimbostratus rankNimbostratus
Apr 13, 2012

APM and second-factor authentication

Environment: v11.1 HF1 LTM and APM

Hi all,

I am running into a strange error from APM that I can't find any documentation on:


The resource you are looking for is temporarily unavailable.
The cause may be an incomplete access policy evaluation. Please continue to finish your access policy in the previous browser window, and close this current window immediately.

What I am attempting to do is introduce a second-factor authentication system into my APM flow. The second-factor system runs on different servers in a separate pool on my LTM. This is my current policy flow:

start -> logon page -> AD auth -> iRule Event -> message box -> sso credential mapping -> allow

(all fallback branches fall to deny)

So in that iRule event, I'm trying to trigger the intercept to my second-factor handling after the first factor succeeds. The second-factor system will post back to my protected VS with a fake URI (/fromSF) to indicate it has completed successfully. This is the iRule I've created so far:


when HTTP_REQUEST priority 700 { 
  log local0. "--- URI is [HTTP::uri]"
  set apm_cookie [HTTP::cookie value MRHSession] 
  if { $apm_cookie != "" && [ACCESS::session exists $apm_cookie] } { 
    log local0. "*** We have a valid APM session cookie"
  } else {
    log local0. "*** We DO NOT have a valid APM session cookie yet!"
}
  if { [HTTP::uri] eq "/goToSF" } {
    log local0. "*** goToSF URI received; trying to get the SF form to display; so changing uri and disabling APM for this event"
    ACCESS::disable
    HTTP::uri /abc/Default2.htm
    pool pool_SF
  } else {
    ACCESS::enable
    log local0. "*** setting pool to protected app"
    pool pool_APP
    if { [HTTP::uri] eq "/fromSF" } {
      log local0. "*** Completed the second factor successfully, we now redirect them to start page of protected app"
      HTTP::respond 301 Location /def
    }
  }
}
when HTTP_RESPONSE { 
  log local0. "*** in http response"
}
when ACCESS_POLICY_AGENT_EVENT {
  if { [ACCESS::policy agent_id] eq "intercept_for_sf" } {
    log local0. "*** tricking us back into http_request"
    ACCESS::session data set session.custom.sf_result 0
    HTTP::respond 301 Location /goToSF
  }
}

This is what I see in my log file:


Apr 13 11:37:08 tmm3 info tmm3[24171]: Rule /Common/APP-irule : --- URI is /
Apr 13 11:37:08 tmm3 info tmm3[24171]: Rule /Common/APP-irule : *** We DO NOT have a valid APM session cookie yet!
Apr 13 11:37:08 tmm3 info tmm3[24171]: Rule /Common/APP-irule : *** setting pool to protected app
Apr 13 11:37:12 tmm3 info tmm3[24171]: Rule /Common/APP-irule : *** tricking us back into http_request
Apr 13 11:37:12 tmm3 err tmm3[24171]: 011f0007:3: http_process_state_prepend - Invalid action EV_SINK_HEADER during ST_HTTP_PREPEND_HEADERS (Client side: vip=/Common/VS_APP profile=http pool=/Common/pool_APP client_ip=1.1.1.1)
Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : --- URI is /goToSF
Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : *** We have a valid APM session cookie
Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : *** goToSF URI received; trying to get the SF form to display; so changing uri and disabling APM for this event
Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : *** in http response
Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : --- URI is /fromSF
Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** We have a valid APM session cookie
Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** setting pool to protected app
Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** Completed the second factor successfully, we now redirect them to start page of protected app
Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : --- URI is /def
Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** We have a valid APM session cookie
Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** setting pool to APP

After clicking the submit button in the second-factor app, it waits for the timeout to expire and then finishes the rest of the log messages. The last message in the session report for APM is "Session variable 'session.logon.page.errorcode' set to '0'". I never see the message box from the policy.

I'm sure I'm doing something goofy, I just don't know what it is?

Thanks,

Jen
app sec
BIG-IP Access Policy Manager (APM)
security
  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Apr 18, 2012
    Hi Jen,

    I am running into the same error message: http_process_state_prepend - Invalid action EV_SINK_HEADER during ST_HTTP_PREPEND_HEADERS. I am trying to perform a redirect after a rewrite request is completed: 

    when REWRITE_REQUEST_DONE {
    [...]

    clientside {
        HTTP::redirect $location
    }

    [...]
}

    If I find an answer I'll post it back here. Thanks!

    -George
  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Apr 19, 2012
    Hi Jen,

     

     

    I believe I may have identified your issue. It appears that issuing redirects in the middle of policy execution will cause this error. In order to avoid this in your situation, I would move the redirect from an iRule event to a APM policy ending. To do this, first open the Visual Policy Editor. You can add a new policy ending by clicking "Edit Endings" at the top of the. After the popup, click "Add ending" and define your redirect there. Assign that ending in place of the "intercept_for_sf" iRule Event.

     

     

    Hope that helps,

     

     

    George