Kerberos 401 authentication with form fallback

Hi Lucas, thanks for your response. I already thought about changing the User-Agent so that I can check for this header. For the moment, I could live with the 401 prompt, when I can display the auth form after canceling the 401 prompt. But no matter what I do, I receive "Authentication required to access the resources.", when Negotiate is enabled in the 401 agent.

One possibility is to combine an IP address check and a client check to say "if the client is internal and running Internet Explorer, then they can probably do Keberos; otherwise, show the web form". For failed 401 returning "Authentication required to access the resources.", I think that must be a bug -- if the 401 fails, it should follow the failure branch to e.g. web form.

Sorry, it's not a bug, but is not desirable/expected behaviour either. When APM sends the 401 Unauthorized, the HTTP response content is the error message defined in the APM HTTP 401 Response block. This defaults to "Authentication required to access the resources.". Instead we would want it to return something that caused the client and APM to advance down the fallback path, perhaps like an auto-submit form that caused the fallback path to be executed. I have submitted bug C2012278 to request such an enhancement to the HTTP 401 Response block.

It should advance if the client issues a POST to my.policy. A GET May also do it but haven't tested that in this context. Maybe a bit of JavaScript. Let us know the ID number you get from support, it should be 6 digits.

Hi Lucas -- my case number is: C2012278.

Hi all -- I was able to get a workaround for this from F5 support, which seems to do the right thing. Quoting from the F5 support response: The setup involves checking for the session variable "session.logon.last.authparam". This variable gets set when the client is supporting "Negotiate", it is not set when the client supports "Basic". The necessary steps are listed below: - add "Variable Assign" before "HTTP 401 Response": "session.logon.last.authparam = return {}" (set session variable "session.logon.last.authparam" to blank) - configure "HTTP 401 Response" - "HTTP Auth Level": "negotiate" - "HTTP response message": "" - add "Special_Basic" branch rule: "expr {[mcget {session.logon.last.authparam}] == ""}" (this has to be placed ABOVE the "Negotiate" branch) Now when the client is not supporting Negotiate it goes down the "Special_Basic" branch. I tried it and the result looked to be as expected. If the user is prompted for Kerberos and Kerberos fails then the failure path (designated by the Special_Basic branch) is taken.

Hi Evan, Alternatively, instead of adding the variable assign and using the Special_Basic branch rule, you can try this: - configure "HTTP 401 Response" - "HTTP Auth Level": "negotiate" - "HTTP response message": - For the "Negotiate" branch change the default expression to: expr { [mcget {session.logon.last.authtype}] == "Negotiate" && [mcget {session.logon.last.authparam}] != "" }

Just wanted to say thank you Saravanan as your solution worked for me. Also wanted to note that although the workaround posted by Evan did work I was still having a browser login prompt when using IE11 but it worked fine on Chrome.

 

Thanks

 

Hi,

the last solution provided by Saravanan M K worked for me:

remove the BASIC_STATIC branch and replace Negotiate branch expression to

expr { [mcget {session.logon.last.authtype}] == "Negotiate" && [mcget {session.logon.last.authparam}] != "" }