Forum Discussion
NimbostratusClient Certificate Authentication Big IP issue on iOS devices
Hi everyone,
We have 3 IIS servers running on HTTPS and load balanced with Big IP. We configured Client certificate authentication on the IIS servers (many-to-one, one client certificate can be used for multiple users). At first, everything seems to be OK. We tested on the computers running different versions of Windows and there was no issue happen. However, when testing with iOS devices (iPhone, iPad), if the device has more than 2 profiles (client cert) installed, Safari will keep asking for selecting certificate each time you go to a page in the website. And that was a terrible experience for the iOS users. We guess this issue was caused by the configuration from BigIP. But since Big IP system is managed by different team from other company, so we have so little information on how our pool was configured. Can anyone suggest any idea that what we need to tell to the BigIP team to check or change the configuration? Any helps would be great appreciated.
jaikumar_f5Noctilucent
I'm sure this will be dealt with an Irule. You can ask the F5 team to check the Irule CLIENTSSL_CLIENTCERT events, as this is the event which looks if a client has provided a cert. Hope this Q&A also give you some tips
 
Nam_Truong_3245Thanks jaikumar for your reply. So you mean BigIP team enabled this Irule or this is enabled by default? And the solution is to disable this Irule?
- jaikumar_f5
No no, that's not I meant. I'm pointing to check in this direction with the BigIP team. The BigIP team would be dealing with Irules to handle these scenarios. They would have put data-groups for different user-agents and how to respond bases on that. If its browser based, it acts differently and if its mobile user agent, it would act differently. These are defined in the Irule. Explain them that they may need to check the F5 Irule to handle these exceptions.
- Nam_Truong_3245
Hi jaikumar,
I just setup the test environment with Windows NLB and I see that the same issue also appears like the real environment with BigIP. iOS device which has more than 2 client certificates will be asked for certificate selection each time clicked on a link/item. I already set NLB in Windows Server to Affinity mode: "Single" but there's still no changes. So I wonder if this issue is from iOS (safari) itself or caused by the Load Balancer? Do you have any idea?
- jaikumar_f5
Can you share the VS configuration. Mask wherever needed.
- Nam_Truong_3245
Hi Jaikumar,
Here is the brief description of my test environment, could you please have a look? I really appreciate for your kind help. Test Environment.xlxs