SWG, Kerberos Auth and identify users by credentials
MVPDigged a little bit further into reusing existing APM sessions in the case that Negotiate-Kerberos is used.
Without fully decoding the Negotiate-Kerberos message in front of APM (including decrypting session ticket information, extracting session specific keys and finally verifying the Message-Authenticator), its not possible to securely identify the user.
I'm working right now on an APM policy that lookups existing APM session for the same user directly after Kerberos-Auth action is complete and then starts to copy session information from the existing APM session to speed up VPE processing. After VPE is finished, an iRule will destroy the just created APM session after HTTP_RESPONSE and then steer subsequent request over the same TCP connection to the old APM session. Not ideal, but seems to be the best what can be done... :-(
Cheers, Kai