For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stanislas_Piron's avatar
Stanislas_Piron
Icon for Nimbostratus rankNimbostratus
Sep 15, 2016

APM replacing ADFS proxy 3.0 : different behavior based on user agent value

Hi,

I am deploying F5 APM as ADFS proxy using deployment guide v1.4.

I configured AD auth and NTLM SSO.

when authenticating with firefox, SSO does not work and ADFS server request form based authentication (it is my default test browser and I did not try with IE). I searched on devcentral if there is anything else to configure to support ADFS 3.0.

I found this article about configuring form based authentication on ADFS server.

To support ADFS proxy for any browser, I customized the irule provided in the deployment guide like that:

when HTTP_REQUEST {
    set keepua 0
     For external Lync client access all external requests to the
     /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI 
     where appropriate
    HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]]
     Analyze the HTTP request and disable access policy enforcement WS-Trust calls 
    if {[HTTP::uri] contains "/adfs/services/trust"} {
        ACCESS::disable
        set keepua 1
    }
     OPTIONAL ---- To allow publishing of the federation service metadata
    if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} {
        ACCESS::disable 
        set keepua 1
    }
    if { !($keepua) } { HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7"  }

}

it replace the client user agent by one supported by ADFS server for NTLM auth.

Am I the first who get this error? is there a better solution to solve this issue?

Regards,

Stanislas

adfs 3.0
application delivery
BIG-IP Access Policy Manager (APM)
deployment

2 Replies

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Sep 15, 2016

    So, silly question first - why do you want to keep forms-based authentication enabled on ADFS - period? Are you planning on allowing direct access to ADFS for internal users that will need to use forms-based auth instead of WIA?

     

    Also, assuming you do need to keep both FBA and WIA enabled, have you verified that you have successfully performed the steps outlined in that article you reference?

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 15, 2016

    Hi,

     

    I am configuring APM to secure ADFS proxy from Internet for my customer. my goal is to secure access without changing internal users behavior.

     

    I am not aware why Microsoft enabled FBA for non microsoft browsers since ADFS 3.0, so I must configure the same APM behavior for every internet browsers.

     

    I will discuss with the customer about the need to keep both authentication method on ADFS servers. But I asked this question to know if this is a known issue because I did not find any information about it.

     

    Another reason about this thread is to provide information about this for next engineer who will spend some time.

     

    Regards,

     

    Stanislas