Forum Discussion

AndersNordby's avatar
Icon for Nimbostratus rankNimbostratus
Apr 15, 2020

Evaluate access policy with SPNEGO/Kerberos from iRule for certain URL paths only


I have a VS with an iRule where I try to use an access policy with Kerberos (AD / SPNEGO integrated Windows) authentication on certain URLs only. It works fine if I apply the access policy on the whole VS, but I want to use it only on some URLs! See iRule code below.


Some things that are OK:

1) ACESS:session exists returns we have a valid session, returned in session_exists variable outputted in response.

Problems I have are a plenty:

2) The ACCESS::policy evaluate always returns deny. Why?

3) I don't get any details about the reason for 2) in Access Policy -> Event Logs. Tried to make a new Event Logs Settings with everything and his uncle turned on byt to no avail.

4) I don't even get a session ID from set session_id [ACCESS::session sid]. Sucks to be me.. Do I have a valid session? What is the session ID? I can see some session IDs in Access Policy -> Event Logs -> Access System Logs -> Built In Reports -> All Messages that correlates with my curl testing. But I can't find any session details for the session ID apart from the session getting created (nothing about the policy evaluation - sigh) in Session Details searching for that session ID.


Any clues?



  # When we accept a connection, create an Access session and save the session ID.

  set flow_sid [ACCESS::session create -timeout 600 -lifetime 3600]




  set uri [HTTP::uri]

  set req_adlogin 0


  set userprincipalname [string toupper [ACCESS::session data get session.logon.last.username]]

  HTTP::header insert "X-UserName" $userprincipalname


  if { [ACCESS::session exists -sid $flow_sid] } {

    set session_exists true

  } else {

    set session_exists false



  switch -regexp [HTTP::uri] {

    "^/funky" -

    "^/frozen" -

    "^/yogurt" {

      set req_adlogin 1




  set response_info "adlogin=$req_adlogin uri=$uri session_exists=$session_exists userprincipalname=$userprincipalname"


  if { $req_adlogin equals "0" } {

    HTTP::respond 200 content "Yaddayadda the URL is freee. $response_info"

  } else {

    pool web_spnegotest_pool


    ACCESS::policy evaluate -sid $flow_sid -profile /Common/spnegotest_access

    set session_id [ACCESS::session sid]

    switch [ACCESS::policy result -sid $flow_sid] {

      "allow" {

        HTTP::respond 200 content "<html><body>You made it ($flow_sid)! $response_info</body></html>"


      "deny" {

        HTTP::respond 200 content "<html><body>Go away ($flow_sid)! $response_info session_id=$session_id</body></html>"


      default {

        HTTP::respond 200 content "<html><body>Different result than expected - check your configuration. ($flow_sid) $response_info</body></html>"







  # To avoid clutter, remove the access session for the flow.

  ACCESS::session remove -sid $flow_sid


No RepliesBe the first to reply