APM Policy seems to stay pending

Question

Hi all, &nbsp;
I am trying to set up a Kerberos authentication policy in my APM 11.6 HF4 to get some Windows Integrated auth for a VIP, following the f5 documented procedure (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html)&nbsp;
Everything seems to run fine at the authentication level, as I clearly see my username and auth results stored in my session variables, but the policy seems to stop there, just after the Kerberos auth box, and does not it the following boxes (I have some message box to trap where I am in the policy). Looks like the policy never leaves the Kerberos Auth box.
Therefore my browser just shows IE error (Page cant be displayed), and the session stays in the pending state (blue). 
I have attached a policy screenshot, it never hits the message boxes KRB AUTH DONE or FAILED. &nbsp;
Checking the LTM and APM logs show no error or stop. &nbsp;
There is something I am missing, and I don't find what...Some clue or a different angle/point of view would be helpful :)&nbsp;

&nbsp;

inno · Answer

Some weird development : policy runs with Firefox and Chrome but stays pending with IE.

I checked if some other authentication than Kerberos is occurring with these browsers, but no, it is pure Kerberos.
So the question is, why Kerberos IWA does not happen with IE ? I would have expected that to work better with IE than others browsers. And yes, all settings in IE have been multiple times checked :)

amolari · Answer

Fiddler (or httpwatch or..) might help here and figure out the different behaviour/result between IE and other browsers.&nbsp;

inno · Answer

Hi all, &nbsp;
Found the issue. I created a new virtual server, applied same APM policy, and everything worked pretty well as expected... Comparing both configs, it appears that selecting Preserve Strict setting for Source Port in the VS config breaks the whole thing. In my case, this item must be set to Preserve only. &nbsp;
Why it was working for Chrome &amp; Firefox but not IE is still a mystery, but at least, it is fixed. &nbsp;
Thanks, 
Pascal.&nbsp;

Forum Discussion

APM Policy seems to stay pending

3 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Access policy, LTM policy and iRules

STREAM::expression doesn't seem to work

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 1 - Policy Creation)

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 5 - Working with Policy Builder)

Monitor LTM policy