Forum Discussion
smilanko_261688
Cirrus
CirrusClientless mode failing to interact with AD
Scenario:
I have a webserice that is being called by some clients. When they hit a webservice, they should enter in a username / password combo for basic authentication. Those credentials should be taken by the APM, and processed in active directory. Here is an image of the flow:
Per this conversation, I am creating this IRule to promt for username/password credentials and allow the APM to perform work.
when HTTP_REQUEST {
set apmsessionid [HTTP::cookie value MRHSession]
if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}
if {!($apmstatus)} {
Insert Clientless-mode header to start APM in clientless mode
if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"}
}
}
when ACCESS_POLICY_COMPLETED {
Authentication request for non bowser user-agent session denied
if { ([ACCESS::policy result] equals "deny") } {
ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"My Web Services Authentication\"" Connection close
ACCESS::session remove
return
}
}
However, following that post and using that code, always leads me to the Deny portion. If I use the original solution here, I am able to authenticate successfully.
Am I missing something to add?
Arnaud_LemaireEmployee
As you remove the session you kill it. You should not wait for access completed to do something. Either you put a 401 challenge or you use an irule event to respond with 401.
Having said that talking about webservice you may expect login and password to be already in the request. In that case you create an irule event and in the irule you retrieve login and password to assign it to session logon variables.