Forum Discussion
CX_280703
Nimbostratus
NimbostratusInvalid Session ID. Your session may have expired - during kerberos auth
I have an IdP setup that is doing client side kerberos auth before then sending on a SAML token to an SP. I have an intermittant issue were sometimes using the kerberos auth It seems to fail and send me to a logout page with an error
.../my.logout.php3?errorcode=20
Your session could not be established.
The session reference number: 23f22713
Invalid Session ID. Your session may have expired.
In the logs I can see:
Session deleted (security_check).
Sometimes the Kerberos is ok and sometimes not, any ideas where to look for the cause of this?
Thanks
CX_280703It seems to help if I change "Max Logon Attempts Allowed" from 1 to 3 in the Kerberos Auth. What does this setting this actually do? and should this help?
- CX_280703
Actually the step above didn't help with the situation. We still see the issue. We also have an NTLM irule looks to be causing the issue. When doing an ECA::Disable for non NTLM requests it seems to intermittently break kerberos!
Also if I set "modify /sys db apm.rotatesessionid value disable" it seems to fix the issue but I don't want to do this as it weakens security.
Anyone have anything to try?
Nolan_JensenCirrostratus
CX,
did you ever figure this out as I am having the same issue? I have not yet messed with the apm.rotatesessionid value like you mentioned as was seeing if you came up with a better way?
Thanks
- CX_280703
Hi Nolan,
So it came down to 3 things, Kerberos, NTLM and Session Rotation. If I stopped using any one one of these 3 then my problem went away. in the end I needed both Kerberos and NTLM setups and so F5 Support agreed that the only option was to turn off the session rotation. Since that day I never saw the issue again.
Note this was in APM 11.6.2 I have not tested since upgrading to later versions but would be interesting to see if it was resolved.
- Nolan_Jensen
Thanks