Forum Discussion
mike_aws_119486
Jan 16, 2014Nimbostratus
OK have got a bit further....
Firstly realised I could not get the password variable because its secure and was falling fowl of the same issue as in this question:
https://devcentral.f5.com/questions/cant-get-apm-secure-session-variable-value-in-irule
So what I did was use VPE to configure an expression:
session.logon.last.password1 = return "[mcget -secure {session.logon.last.password}]"
Then changed the initial iRule to:
This is the data that will be passing to the internal APM - define HTTP headers and values here
set apmsessionuser [ACCESS::session data get "session.logon.last.username"]
set apmsessionpass [ACCESS::session data get "session.logon.last.password1"]
HTTP::header replace AGUSER $apmsessionuser
HTTP::header replace AGPASS $apmsessionpass
I can now see it authenticating ok on the internal APM, however all I get from clients is "Page Cannot Be Displayed" so looks like the portal access/rewrite isn't necessarily working properly!
APM logs from the front end as follow:
2014-01-16 19:46:04 Username 'testuser' Common
2014-01-16 19:46:13 Username 'testuser' Common
2014-01-16 19:46:13 Following rule 'fallback' from item 'Variable Assign' to ending 'Allow' Common
2014-01-16 19:46:13 Access policy result: LTM+APM_Mode
APM logs from the internal APM as follows:
2014-01-16 19:49:48 Following rule 'fallback' from item 'Start' to item 'AD Auth' Common
2014-01-16 19:49:48 AD agent: ENTER Function executeInstance Common
2014-01-16 19:49:48 AD Agent: invalid user password ciphertext Common
2014-01-16 19:49:48 AD module: ENTER Function authenticateUser Common
2014-01-16 19:49:48 AD module: authenticate with 'testuser@DOMAIN.COM' successfully Common
2014-01-16 19:49:48 AD module: LEAVE Function authenticateUser Common
2014-01-16 19:49:48 AD agent: Auth (logon attempt:0): authenticate with 'testuser' successful Common
2014-01-16 19:49:48 AD agent: LEAVE Function executeInstance Common
2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test_act_active_directory_auth_ag', return value 0 Common
2014-01-16 19:49:48 Following rule 'Successful' from item 'AD Auth' to item 'SSO Credential Mapping' Common
2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test_act_sso_credential_mapping_1_ag', return value 0 Common
2014-01-16 19:49:48 Following rule 'fallback' from item 'SSO Credential Mapping' to item 'Full Resource Assign' Common
2014-01-16 19:49:48 Webtop '/Common/InternalPortal_SSOTest_webtop' assigned Common
2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test2_act_full_resource_assign_ag', return value 0 Common
2014-01-16 19:49:48 Following rule 'fallback' from item 'Full Resource Assign' to ending 'Allow' Common
2014-01-16 19:49:48 StartURI from webtop: https://portal.domain.com Common
2014-01-16 19:49:48 Access policy result: Web_Application Common
2014-01-16 19:49:48 Executed agent '/Common/InternalPortal-Test2_end_allow_ag', return value 0 Common
2014-01-16 19:49:48 Session variable 'session.ad./Common/InternalPortal-Test2_act_active_directory_auth_ag.actualdomain' set to 'DOMAIN.COM' Common
2014-01-16 19:49:48 Session variable 'session.ad./Common/InternalPortal-Test2_act_active_directory_auth_ag.authresult' set to '1' Common
2014-01-16 19:49:48 Session variable 'session.ad./Common/InternalPortal-Test2_act_active_directory_auth_ag.errmsg' set to ' ' Common
2014-01-16 19:49:48 Session variable 'session.ad.last.actualdomain' set to 'DOMAIN.COM' Common
2014-01-16 19:49:48 Session variable 'session.ad.last.authresult' set to '1' Common
2014-01-16 19:49:48 Session variable 'session.ad.last.errmsg' set to ' ' Common
2014-01-16 19:49:48 Session variable 'session.assigned.resources.pa' set to '/Common/InternalPortal_SSOTest_pa_res' Common
2014-01-16 19:49:48 Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/InternalPortal-Test2.' Common
2014-01-16 19:49:48 Session variable 'session.assigned.webtop' set to '/Common/InternalPortal_SSOTest_webtop' Common
2014-01-16 19:49:48 Session variable 'session.logon.page.errorcode' set to '0' Common
2014-01-16 19:49:48 Session variable 'session.policy.result' set to 'allow' Common
2014-01-16 19:49:48 Session variable 'session.policy.result.start_uri' set to '/f5-w-68747410723a2f2f706f7274616c2e545972766576652e707269$$/' Common
2014-01-16 19:49:48 Session variable 'session.policy.result.webtop.type' set to 'web_application' Common
2014-01-16 19:49:48 Session variable 'session.sso.token.last.password' set to '**********' Common
2014-01-16 19:49:48 Session variable 'session.sso.token.last.username' set to 'testuser' Common
2014-01-16 19:49:48 Session variable 'session.webtop.customization.group' set to '/Common/InternalPortal_SSOTest_webtop_customization'
At a loss now.....
- Jan 18, 2014You should have an option in the portal access object to turn on logging. It may help.