Forum Discussion

Nimbostratus

May 03, 2016

kerberos seamless login issue

Hello, We are trying to get seamless login working for the laptop users in our environment. Here is the policy we have currently which seems to be working with following issues. 1) If we ...

application delivery

BIG-IP Access Policy Manager (APM)

Yann_Desmarest_

Nacreous

May 04, 2016

APM retain the kerberos ticket that you already played and fallback to a 401 prompt as it doesn't allow to replay the same kerberos token multiple times. You have to clear your Authentication cache on the Browser side. We workaround this behavior by injecting a javascript code within the response to the client. Here is an example of javascript function that work : void(document.execCommand('ClearAuthenticationCache').

The issue is that Internet Explorer send the same kerberos token every time until you close your browser or remove the cache. And APM doesn't support it...

f5learn_164388
Nimbostratus
May 04, 2016
Thanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/s/feed/0D51T00006i7R5xSAE https://devcentral.f5.com/s/feed/0D51T00006j3kPlSAI Thanks, ski
Yann_Desmarest_
Nacreous
May 07, 2016
Don't try in 12.0.0, but I can confirm that this issue still exists in 11.6.0. Moreover, the workaround provided clear the credential caching only. But works for IE only :( For your information, we get this issue when the user authenticate using Kerberos, then logout and re-login fail because the same kerberos token is played on the client side and rejected by APM. If you trigger a different scenario, have a look at the Request Based Auth feature on the kerberos AAA object
f5learn_164388
Nimbostratus
May 13, 2016
Thanks, Yann for the comment. Yes, we faced the re-login failure issue as you mentioned. Will take a look at Request based Auth. The suggestion below from Michael is addressing this.