APM Policy seems to stay pending

Question

Hi all, &nbsp;
I am trying to set up a Kerberos authentication policy in my APM 11.6 HF4 to get some Windows Integrated auth for a VIP, following the f5 documented procedure (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html)&nbsp;
Everything seems to run fine at the authentication level, as I clearly see my username and auth results stored in my session variables, but the policy seems to stop there, just after the Kerberos auth box, and does not it the following boxes (I have some message box to trap where I am in the policy). Looks like the policy never leaves the Kerberos Auth box.
Therefore my browser just shows IE error (Page cant be displayed), and the session stays in the pending state (blue). 
I have attached a policy screenshot, it never hits the message boxes KRB AUTH DONE or FAILED. &nbsp;
Checking the LTM and APM logs show no error or stop. &nbsp;
There is something I am missing, and I don't find what...Some clue or a different angle/point of view would be helpful :)&nbsp;

&nbsp;

inno · Answer

Some weird development : policy runs with Firefox and Chrome but stays pending with IE.

I checked if some other authentication than Kerberos is occurring with these browsers, but no, it is pure Kerberos.
So the question is, why Kerberos IWA does not happen with IE ? I would have expected that to work better with IE than others browsers. And yes, all settings in IE have been multiple times checked :)

amolari · Answer

Fiddler (or httpwatch or..) might help here and figure out the different behaviour/result between IE and other browsers.&nbsp;

inno · Answer

Hi all, &nbsp;
Found the issue. I created a new virtual server, applied same APM policy, and everything worked pretty well as expected... Comparing both configs, it appears that selecting Preserve Strict setting for Source Port in the VS config breaks the whole thing. In my case, this item must be set to Preserve only. &nbsp;
Why it was working for Chrome &amp; Firefox but not IE is still a mystery, but at least, it is fixed. &nbsp;
Thanks, 
Pascal.&nbsp;

Forum Discussion

APM Policy seems to stay pending

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

STREAM::expression doesn't seem to work

Access policy, LTM policy and iRules

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 2 - Policy Import)

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 4 - Policy Lifecycle management)

Evaluate WAF Policy with BIG-IQ Policy Analyzer

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS