Forum Discussion
NimbostratusUsername in APM Reports - VIP using Kerberos SSO
Hi,
I know this question was raised a bit in the past, but my guess is that it had no solution or answer.
I have a VIP which my users access leveraging Kerberos SSO through an APM policy. When running APM reports, the Username field stays empty, making the reports totally useless.
I checked that session variables are correctly populated (session.logon.last.username and logonname), but nothing shows up in reports.
Version used : 11.6 HF4 (tested also on 11.6 HF5)
Do someone have a clue on how to make this work ?
Thanks, Pascal.
9 Replies
- boneyard
MVP
i believe i have the same issue (also 11.6 HF5). to be sure with Kerberos SSO you mean that you HTTP 401 response + Kerberos Auth in the Access Policy so users authenticate on the client side of APM with their Kerberos ticket? there was an earlier question you also answered in but there hints were made to custom reports, only there is no other login field or such to choose. im wonderif if it isn't possible because only after the Kerberos Auth VPE the system becomes aware of an actual user. the system never shows a clear username 'name' like it does with other logon methods. makes me wonder if you do see a username when you do client cert auth for example. 
InnOYes @boneyard, that is exactly a HTTP401 + Kerberos Auth. The thing is reports in APM probably do not get the username from the standard session variables (session.logon.last.username and logonname). Asked F5, and the workaround they provided me did the trick. I added a logging event box at the end of the VPE, configured to log session.logon.last.username for instance, then using custom reports, checked the session variable value to be displayed. This worked, but that would be cool to have something more consistent. Asked F5, and the workaround they provided me did the trick. I added a logging event box at the end of the VPE, configured to log session.logon.last.username for instance, then using custom reports, checked the session variable value to be displayed. This worked, but that would be cool to have something more consistent.
amolariCirrostratus
it seems to be somehow a regression bug. I had in older 11 releases the same issue for users login with client certificates (username was being extracted from the certificate). At some point it was fixed.- boneyardyeah it is odd and feel buggy, i just noticed that in active sessions it does show the correct username ... btw F5Maniac you can post your workaround as answer and flag it i would say.
- boneyardhey, i got it working now, it seems related to either stripping of the @domain part or doing an ad query, got to look into it further but i at least have in the normal report the actual username showing up.
- InnOThx Boneyard, If you have any hint of what made it working for you, please feel free to share, I would be really interested to understand what is happening.
- boneyard
ok, i think i got a fix / workaround, it is rather silly but give it a go.
after the the Kerberos Auth VPE add a variable assign VPE
in the VPE you do: Custom Variable Unsecure session.logon.last.username = Session Variable session.logon.last.username
for me this works 100%, like mentioned before it feels like a bug, and if this also works for you then im quite sure it is.
- InnO
You are the man, this workaround works perfectly ! You did my day :)
Thanks, Pascal / F5Maniac
- boneyardyou are welcome, it was a bit of a lucky catch, but if it works it works :) if you ever have the time open a ticket for this and get a bugID assigned.
