Hello, We are trying to get seamless login working for the laptop users in our environment. Here is the policy we have currently which seems to be working with following issues. 1) If we clear IE browser cache and try to access the Virtual server the login is seamless, though it takes a while before the webtop shows up to access a resource. Not sure where the delay is? We can see the Kerberos ticket being sent in fiddler and such. 2) After the initial login if we try to open access the Virtual server again, now we are getting a authentication dialog. Checking in fiddler we see that the Kerberos ticket is sent but it looks like the APM ignores it and sends a 401 again. Could anyone give us some directions on what to look for if you can came across this situation. Thanks, Ski

APM retain the kerberos ticket that you already played and fallback to a 401 prompt as it doesn't allow to replay the same kerberos token multiple times. You have to clear your Authentication cache on the Browser side. We workaround this behavior by injecting a javascript code within the response to the client. Here is an example of javascript function that work : void(document.execCommand('ClearAuthenticationCache'). The issue is that Internet Explorer send the same kerberos token every time until you close your browser or remove the cache. And APM doesn't support it...

Thanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/questions/kerberos-and-ntlm-authentication-using-apm https://devcentral.f5.com/questions/kerberos-caching-option Thanks, ski

Thanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/s/feed/0D51T00006i7R5xSAE https://devcentral.f5.com/s/feed/0D51T00006j3kPlSAI Thanks, ski

Don't try in 12.0.0, but I can confirm that this issue still exists in 11.6.0. Moreover, the workaround provided clear the credential caching only. But works for IE only :( For your information, we get this issue when the user authenticate using Kerberos, then logout and re-login fail because the same kerberos token is played on the client side and rejected by APM. If you trigger a different scenario, have a look at the Request Based Auth feature on the kerberos AAA object

kerberos seamless login issue

11 Replies

Yann_Desmarest
Cirrus
May 04, 2016
APM retain the kerberos ticket that you already played and fallback to a 401 prompt as it doesn't allow to replay the same kerberos token multiple times. You have to clear your Authentication cache on the Browser side. We workaround this behavior by injecting a javascript code within the response to the client. Here is an example of javascript function that work : void(document.execCommand('ClearAuthenticationCache').

The issue is that Internet Explorer send the same kerberos token every time until you close your browser or remove the cache. And APM doesn't support it...
- f5learn_164388
  Nimbostratus
  May 04, 2016
  Thanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/questions/kerberos-and-ntlm-authentication-using-apm https://devcentral.f5.com/questions/kerberos-caching-option Thanks, ski
- Yann_Desmarest
  Cirrus
  May 07, 2016
  Don't try in 12.0.0, but I can confirm that this issue still exists in 11.6.0. Moreover, the workaround provided clear the credential caching only. But works for IE only :( For your information, we get this issue when the user authenticate using Kerberos, then logout and re-login fail because the same kerberos token is played on the client side and rejected by APM. If you trigger a different scenario, have a look at the Request Based Auth feature on the kerberos AAA object
- f5learn_164388
  Nimbostratus
  May 13, 2016
  Thanks, Yann for the comment. Yes, we faced the re-login failure issue as you mentioned. Will take a look at Request based Auth. The suggestion below from Michael is addressing this.
Yann_Desmarest_
Nacreous
May 04, 2016
APM retain the kerberos ticket that you already played and fallback to a 401 prompt as it doesn't allow to replay the same kerberos token multiple times. You have to clear your Authentication cache on the Browser side. We workaround this behavior by injecting a javascript code within the response to the client. Here is an example of javascript function that work : void(document.execCommand('ClearAuthenticationCache').

The issue is that Internet Explorer send the same kerberos token every time until you close your browser or remove the cache. And APM doesn't support it...
- f5learn_164388
  Nimbostratus
  May 04, 2016
  Thanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/s/feed/0D51T00006i7R5xSAE https://devcentral.f5.com/s/feed/0D51T00006j3kPlSAI Thanks, ski
- Yann_Desmarest_
  Nacreous
  May 07, 2016
  Don't try in 12.0.0, but I can confirm that this issue still exists in 11.6.0. Moreover, the workaround provided clear the credential caching only. But works for IE only :( For your information, we get this issue when the user authenticate using Kerberos, then logout and re-login fail because the same kerberos token is played on the client side and rejected by APM. If you trigger a different scenario, have a look at the Request Based Auth feature on the kerberos AAA object
- f5learn_164388
  Nimbostratus
  May 13, 2016
  Thanks, Yann for the comment. Yes, we faced the re-login failure issue as you mentioned. Will take a look at Request based Auth. The suggestion below from Michael is addressing this.
f5learn_164388
Nimbostratus
May 25, 2016
Michael, i think we got past the pop up thing. Its strange that once the reverse DNS lookup entry was added it took care of the delay and also the popup. Now we are seeing something different. Most of the times the seamless thing is working but once in a while we get a page cannot be displayed. We put some message boxes in place and see that the below highlighted path is taken and it just fails with a "page cannot be displyed" message in the browser. When we took the packet captures we see that there is a ack,rst from server and nothing happens. On the apm logs we see that "session is deleted due to user inactivity". Is there something else we are missing?
- Michael__
  Nimbostratus
  May 25, 2016
  Hi, the PTR entry for the SPN is mandatory or at least a host entry (on the APM) to get the Kerberos auth with the F5 working About the RST Could you set the Access Policy Logging to Debug (System ›› Logs : Configuration : Options) and check the log output (/var/log/apm) for a reason ?!
f5learn_164388
Nimbostratus
May 25, 2016
Thanks, Michael. Please find the screenshot below which has the last few lines from debug logs for successful vs failed logins.