For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

david78's avatar
david78
Icon for Nimbostratus rankNimbostratus
Sep 28, 2011

Basic-auth (401) without redirection to /my.policy

Hi,

 

We use our Bigip like a reverse-proxy with iRules "ProxyPass".

 

We are in v11

 

 

 

We need to authenticate our users with basic-auth method (HTTP code 401).

 

 

 

 

 

The problem is that APM returns a redirect (code 302) to /my.policy, and this is not support by some clients applications.

 

Do you have an idea (iRules?) to avoid this redirection?

 

 

 

Thank you in advance!

 

application delivery
dev
devops
iRules

4 Replies

  • Ferg_104721's avatar
    Ferg_104721
    Icon for Nimbostratus rankNimbostratus
    Sep 30, 2011
    Hi

     

     

    I dont know ifthis would help you but I have used an irule in the past for an external facing VS to check the header look for auth/uri and depending on the result return a http 401. If you get it to redirect for basic auth before the APM maybe the 301 wont come into effect.

     

     

    This code is a little rough but it does the job.

     

     

    when HTTP_REQUEST {

     

    if {[HTTP::uri] contains "????"}{

     

    if {[HTTP::header exists Authorization]}{

     

    HTTP::release

     

    } else {

     

    HTTP::collect

     

    HTTP::respond 401

     

    HTTP::release

     

    }

     

    }

     

    }
  • Michel_Lepage_5's avatar
    Michel_Lepage_5
    Icon for Nimbostratus rankNimbostratus
    May 30, 2013
    Hi David

     

     

    Have you ever resolved this thing.

     

     

    I have the same problem

     

     

    I have a application that gets a file from a sharepoint server

     

     

    It should work in an automatic non interactive way.

     

     

    The application works great through the LTM without any access policy

     

     

    But I need to authenticate the application in APM before aloowing it to go to the Sharepoint server

     

     

    I manage to create a policy that works when I use a browser. Using a logon page , I enter the credentials manually.

     

     

    But when I try to use the app, that is supposed to provide the credentials automatically when responding to a 401

     

     

    Th app does not even get the 401 response from the Big IP, the request gets redirected to /my.policy and the app just fails because it can`t open that page

     

     

    Is there a way to prevent the redirection.

     

     

    I hope someone can help with this. Anyone working at F5 can jump in an help?

     

     

    Let me know if you need more info.

     

     

    Michel

     

     

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 31, 2013
    This is a fairly common issue with SharePoint. The problem lies in the fact that 1) APM, by default, uses session-based (in browser memory) cookies to maintain session state with the client browser, and 2) the applications that SharePoint spawns (Office apps, WebDAV, some others) can't access that cookie. So anything coming from that application looks like a new session to APM (and get's the initial 302 to /my.policy). The recommended solution is to use persistent session cookies in APM. It's a checkbox on the second tab of an access policy. This allows the APM cookie to be file-based and now accessible to the spawned applications. The expiration of that cookie is controlled by the settings on the first tab, and the value is rewritten on every APM response so that it accurately expires the ticket after a defined amount of idle time.
  • Hugo_Frauches_2's avatar
    Hugo_Frauches_2
    Icon for Cirrus rankCirrus
    Jun 27, 2018

    Hello David,

     

    I dont know if you still have this problem, but i manage to solve it with this iRule i get from DevCentral, you just need to use this iRule with the Normal Auth box on your Access policy.

     

    Code

when HTTP_REQUEST {
    set apmsessionid [HTTP::cookie value MRHSession]
        if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}   
        if { !($apmstatus)} {
            if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } {
                set clientless(insert_mode) 1       
                set clientless(username)    [ string tolower [HTTP::username] ]
                set clientless(password)    [HTTP::password]
                binary scan [md5 "$clientless(password)"] H* clientless(hash)
                set user_key "$clientless(username).$clientless(hash)"
                set clientless(cookie_list)             [ ACCESS::user getsid $user_key ]
                if { [ llength $clientless(cookie_list) ] != 0 } {
                    set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
                    if { $clientless(cookie) != "" } {
                        HTTP::cookie insert name MRHSession value $clientless(cookie)
                        set clientless(insert_mode) 0
                    }
                }
             if { $clientless(insert_mode) } {
                HTTP::header insert "clientless-mode" 1
                HTTP::header insert "username" $clientless(username)
                HTTP::header insert "password" $clientless(password)
            }
            unset clientless
          } else {
            HTTP::respond 401 noserver WWW-Authenticate "Basic realm=\"[HTTP::host] Authentication\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
            return
            }
   }
}

when ACCESS_POLICY_COMPLETED {
   if { ([ACCESS::policy result] equals "deny") } {
    set host [ACCESS::session data get "session.network.name"]
      ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$host Authentication\"" Connection close
      ACCESS::session remove
   } 
}