Forum Discussion

david78's avatar
Icon for Nimbostratus rankNimbostratus
Sep 28, 2011

Basic-auth (401) without redirection to /my.policy



We use our Bigip like a reverse-proxy with iRules "ProxyPass".


We are in v11




We need to authenticate our users with basic-auth method (HTTP code 401).






The problem is that APM returns a redirect (code 302) to /my.policy, and this is not support by some clients applications.


Do you have an idea (iRules?) to avoid this redirection?




Thank you in advance!


4 Replies

  • Hi



    I dont know ifthis would help you but I have used an irule in the past for an external facing VS to check the header look for auth/uri and depending on the result return a http 401. If you get it to redirect for basic auth before the APM maybe the 301 wont come into effect.



    This code is a little rough but it does the job.



    when HTTP_REQUEST {


    if {[HTTP::uri] contains "????"}{


    if {[HTTP::header exists Authorization]}{




    } else {




    HTTP::respond 401








  • Hi David



    Have you ever resolved this thing.



    I have the same problem



    I have a application that gets a file from a sharepoint server



    It should work in an automatic non interactive way.



    The application works great through the LTM without any access policy



    But I need to authenticate the application in APM before aloowing it to go to the Sharepoint server



    I manage to create a policy that works when I use a browser. Using a logon page , I enter the credentials manually.



    But when I try to use the app, that is supposed to provide the credentials automatically when responding to a 401



    Th app does not even get the 401 response from the Big IP, the request gets redirected to /my.policy and the app just fails because it can`t open that page



    Is there a way to prevent the redirection.



    I hope someone can help with this. Anyone working at F5 can jump in an help?



    Let me know if you need more info.








  • This is a fairly common issue with SharePoint. The problem lies in the fact that 1) APM, by default, uses session-based (in browser memory) cookies to maintain session state with the client browser, and 2) the applications that SharePoint spawns (Office apps, WebDAV, some others) can't access that cookie. So anything coming from that application looks like a new session to APM (and get's the initial 302 to /my.policy). The recommended solution is to use persistent session cookies in APM. It's a checkbox on the second tab of an access policy. This allows the APM cookie to be file-based and now accessible to the spawned applications. The expiration of that cookie is controlled by the settings on the first tab, and the value is rewritten on every APM response so that it accurately expires the ticket after a defined amount of idle time.
  • Hello David,


    I dont know if you still have this problem, but i manage to solve it with this iRule i get from DevCentral, you just need to use this iRule with the Normal Auth box on your Access policy.


    when HTTP_REQUEST {
        set apmsessionid [HTTP::cookie value MRHSession]
            if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}   
            if { !($apmstatus)} {
                if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } {
                    set clientless(insert_mode) 1       
                    set clientless(username)    [ string tolower [HTTP::username] ]
                    set clientless(password)    [HTTP::password]
                    binary scan [md5 "$clientless(password)"] H* clientless(hash)
                    set user_key "$clientless(username).$clientless(hash)"
                    set clientless(cookie_list)             [ ACCESS::user getsid $user_key ]
                    if { [ llength $clientless(cookie_list) ] != 0 } {
                        set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
                        if { $clientless(cookie) != "" } {
                            HTTP::cookie insert name MRHSession value $clientless(cookie)
                            set clientless(insert_mode) 0
                 if { $clientless(insert_mode) } {
                    HTTP::header insert "clientless-mode" 1
                    HTTP::header insert "username" $clientless(username)
                    HTTP::header insert "password" $clientless(password)
                unset clientless
              } else {
                HTTP::respond 401 noserver WWW-Authenticate "Basic realm=\"[HTTP::host] Authentication\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
       if { ([ACCESS::policy result] equals "deny") } {
        set host [ACCESS::session data get ""]
          ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$host Authentication\"" Connection close
          ACCESS::session remove