For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mike_aws_119486's avatar
mike_aws_119486
Icon for Nimbostratus rankNimbostratus
Jan 14, 2014

Rename default MRHsession cookie?

I have a requirement to have APM Edge (at the Edge of the network facing internet) connecting to an APM appliance within the internal network which is providing Portal Access/SSO to apps.   I've c...
BIG-IP Access Policy Manager (APM)
deployment
security
mike_aws_119486's avatar
mike_aws_119486
Icon for Nimbostratus rankNimbostratus
Jan 16, 2014

OK have got a bit further....

Firstly realised I could not get the password variable because its secure and was falling fowl of the same issue as in this question:

https://devcentral.f5.com/questions/cant-get-apm-secure-session-variable-value-in-irule

So what I did was use VPE to configure an expression:

session.logon.last.password1 = return "[mcget -secure {session.logon.last.password}]"

Then changed the initial iRule to:

 This is the data that will be passing to the internal APM - define HTTP headers and values here
set apmsessionuser [ACCESS::session data get "session.logon.last.username"] 
set apmsessionpass [ACCESS::session data get "session.logon.last.password1"] 
HTTP::header replace AGUSER $apmsessionuser
HTTP::header replace AGPASS $apmsessionpass

I can now see it authenticating ok on the internal APM, however all I get from clients is "Page Cannot Be Displayed" so looks like the portal access/rewrite isn't necessarily working properly!

APM logs from the front end as follow:

2014-01-16 19:46:04 Username 'testuser' Common 

2014-01-16 19:46:13 Username 'testuser' Common 

2014-01-16 19:46:13 Following rule 'fallback' from item 'Variable Assign' to ending 'Allow' Common 

2014-01-16 19:46:13 Access policy result: LTM+APM_Mode

APM logs from the internal APM as follows:

2014-01-16 19:49:48 Following rule 'fallback' from item 'Start' to item 'AD Auth' Common 

2014-01-16 19:49:48 AD agent: ENTER Function executeInstance Common 

2014-01-16 19:49:48 AD Agent: invalid user password ciphertext Common 

2014-01-16 19:49:48 AD module: ENTER Function authenticateUser Common 

2014-01-16 19:49:48 AD module: authenticate with 'testuser@DOMAIN.COM' successfully Common 

2014-01-16 19:49:48 AD module: LEAVE Function authenticateUser Common 

2014-01-16 19:49:48 AD agent: Auth (logon attempt:0): authenticate with 'testuser' successful Common 

2014-01-16 19:49:48 AD agent: LEAVE Function executeInstance Common 

2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test_act_active_directory_auth_ag', return value 0 Common 

2014-01-16 19:49:48 Following rule 'Successful' from item 'AD Auth' to item 'SSO Credential Mapping' Common 

2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test_act_sso_credential_mapping_1_ag', return value 0 Common 

2014-01-16 19:49:48 Following rule 'fallback' from item 'SSO Credential Mapping' to item 'Full Resource Assign' Common 

2014-01-16 19:49:48 Webtop '/Common/InternalPortal_SSOTest_webtop' assigned Common 

2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test2_act_full_resource_assign_ag', return value 0 Common 

2014-01-16 19:49:48 Following rule 'fallback' from item 'Full Resource Assign' to ending 'Allow' Common 

2014-01-16 19:49:48 StartURI from webtop: https://portal.domain.com Common 

2014-01-16 19:49:48 Access policy result: Web_Application Common 

2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test2_end_allow_ag', return value 0 Common 

2014-01-16 19:49:48 Session variable 'session.ad./Common/InternalPortal-Test2_act_active_directory_auth_ag.actualdomain' set to 'DOMAIN.COM' Common 

2014-01-16 19:49:48 Session variable 'session.ad./Common/InternalPortal-Test2_act_active_directory_auth_ag.authresult' set to '1' Common 

2014-01-16 19:49:48 Session variable 'session.ad./Common/InternalPortal-Test2_act_active_directory_auth_ag.errmsg' set to ' ' Common 

2014-01-16 19:49:48 Session variable 'session.ad.last.actualdomain' set to 'DOMAIN.COM' Common 

2014-01-16 19:49:48 Session variable 'session.ad.last.authresult' set to '1' Common 

2014-01-16 19:49:48 Session variable 'session.ad.last.errmsg' set to ' ' Common 

2014-01-16 19:49:48 Session variable 'session.assigned.resources.pa' set to '/Common/InternalPortal_SSOTest_pa_res' Common 

2014-01-16 19:49:48 Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/InternalPortal-Test2.' Common 

2014-01-16 19:49:48 Session variable 'session.assigned.webtop' set to '/Common/InternalPortal_SSOTest_webtop' Common 

2014-01-16 19:49:48 Session variable 'session.logon.page.errorcode' set to '0' Common 

2014-01-16 19:49:48 Session variable 'session.policy.result' set to 'allow' Common 

2014-01-16 19:49:48 Session variable 'session.policy.result.start_uri' set to '/f5-w-68747410723a2f2f706f7274616c2e545972766576652e707269$$/' Common 

2014-01-16 19:49:48 Session variable 'session.policy.result.webtop.type' set to 'web_application' Common 

2014-01-16 19:49:48 Session variable 'session.sso.token.last.password' set to '**********' Common 

2014-01-16 19:49:48 Session variable 'session.sso.token.last.username' set to 'testuser' Common 

2014-01-16 19:49:48 Session variable 'session.webtop.customization.group' set to '/Common/InternalPortal_SSOTest_webtop_customization'

At a loss now.....

  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Jan 18, 2014
    You should have an option in the portal access object to turn on logging. It may help.