Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Jan 29, 2018

BigIP APM 12.1.3: username variable session.logon.last.username empty

variable was working in 11.5.

 

variable is working in chrome and firefox.

 

variable is not working in IE 11.

 

Any clues?

 

variable is used in an AD Query:

 

(sAMAccountName=%{session.logon.last.username})

 

application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Jan 30, 2018

    I have an irule which triggers an access policy based on a condition => $EnableAPMPolicy equals 1

     when HTTP_REQUEST {
ACCESS::disable     
if { $EnableAPMPolicy equals 1 } {       
    ACCESS::enable
}

    }

    So by default I set ACCESS::disable in the HTTP_REQUEST. This was preventing IE from getting the username variable somehow. I added a condition which only calls ACCESS:disable if $PolicyEnabled = 0 Now IE is happy and variable is passed along.

         when HTTP_REQUEST {

if { $EnableAPMPolicy equals 0 } {       
    ACCESS::disable
}

if { $EnableAPMPolicy equals 1 } {       
    ACCESS::enable
}

    }

    • JoeTheFifth's avatar
      JoeTheFifth
      Icon for Altostratus rankAltostratus
      Jan 30, 2018

      After some tests this configuration interferes with office web apps. I have to keep the access:disable by default. Anyone know why this prevents IE from passing the session variable in APM?

       

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Jan 31, 2018

      Is this configuration enabled on the same VS you applied APM Sharepoint Authentication code?

       

      If Yes, I recommend to use version 2 of the code which allow you to manage APM disable in the first HTTP_REQUEST event (lines 50-97).

       

      don't create another irule but edit this one to manage Authentication.

       

      I guess you can manage office web apps by Host header to disable APM.

       

    • JoeTheFifth's avatar
      JoeTheFifth
      Icon for Altostratus rankAltostratus
      Mar 05, 2018

      This issue is becoming very serious now. I have confirmed two configurations where IE11 does not work:

       

      Config A: 1. You have a VS with an APM Policy starting with a logon page, a message box to show the username entered in the logon page and an ldap or ad auth.

       

      1. You add an irule on this VS with an Access::disable in the beginning of the http_request and an Access:Enable only if some condition is met.

      In this case apm shows an empty value in the user name and of course password is empty too. If you remove the access:disable IE does capture and transfer the username/password.

       

      Config B:

       

      1. You create 2 VSs
      2. On first VS add an irule with a redirect to the second VS if some condition is met.
      3. You add an APM policy to the second VS, same VPE => logon page, messagebox, auth.

      In this case IE does not work.

       

      In both configs Chrome and Firefox work fine.

       

      I have found some info here and there about APM/IE blank values: https://support.f5.com/csp/article/K04732437 https://support.f5.com/csp/article/K16109

       

      Anyone to test/confirm or offer a solution/bypass? Thanks.

       

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Mar 09, 2018

    So solution was to use this command to clean IE cache during my tests:

     

    rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351