For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pasha's avatar
pasha
Icon for Altostratus rankAltostratus
May 26, 2022

uwebbrowserparser.cpp, UWebBrowserParser::DocumentComplete

Hello, We are having an issue with our F5 Edge Client that produces a popup each time from Microsoft to authenticate (pick a user). These machines are hybrid joined to Azure and nothing is triggerin...
cloud
security
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
May 29, 2022

You have not provided a lot of info what F5 article you have followed to make the authentication seemless and what authentication you are using.

 

Maybe try to upgrade the F5 Edge client to te final version as it sounds to me that the F5 Edge Client is not honoring the persistant cookie option in Azure AD:

 

https://techdocs.f5.com/en-us/apm-f5-access/apm-f5-access-windows-10-using-intune/c_f5_access_windows_chapter_title_conditional_access.html

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

 

It could be good to investigate from the Azure AD logs as why when the connection commes from the Edge Client and not a browser if there is an issue asking for reauthentication.

 

Also maybe the F5 Edge client by design may not keep any persistant cookies but this is something that maybe F5 TAC can tell.

 

 

Edit:

 

Also I found it interesting that the Edge Client as you say is trying to use its native embeded web browser and not opening Chrome or other browser to display the SAML loging page as this will be much better:

 

https://community.f5.com/t5/technical-articles/vpn-access-with-mfa-using-edge-client-7-2-1-and-apm-16-0/ta-p/286298

 

Other thing that you can check if " ForceAuthn" is set:

 

https://support.f5.com/csp/article/K55489557

pasha's avatar
pasha
Icon for Altostratus rankAltostratus
May 31, 2022

Thank you for your response.

We are using the most recent F5 client. And yes I agree with you regarding the Edge Client using the native embedded browser vs. system default browser. I beleive this is the root cause of the issue. However, I looked at the Okta link you pasted and I'm not seeing where it mentions the setting to use the system default browser on the Edge Clients. 

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Jun 01, 2022

    What is your Edge client version as it could be a bug using the embedded browser?  Also look at this link and supplement articles as a browser plug-in should be installed with the edge client installation https://support.f5.com/csp/article/K99054837

    • pasha's avatar
      pasha
      Icon for Altostratus rankAltostratus
      Jun 01, 2022

      Edge Client is 7221,2022,412,1126 (I think that is the latest available?)

      And yes, I agree it could be a bug (or some kind of incompatibility) with the embedded browser. The embedded browser is running a legacy version of IE10/11 rendering engine. I'm still not clear how to get the client to open the system default browser instead. The link pasted suggests that F5 is telling users to only go through the web browser to connect instead of using the Edge Client. We still want to leverage the Edge Client but have it open the system default browser instead of the embedded browser.