Forum Discussion

Gavin_Connell-O's avatar
Gavin_Connell-O
Icon for Nimbostratus rankNimbostratus
Jul 30, 2014

Client side Kerberos problem with Mac OSX 10.9 and Safari 7.0.2

Hi all,

 

I've got a working client side SSO access policy in APM providing access to an internal intranet. It works perfectly with Windows clients (with the right browser config) and I can get it working on Chrome on our Macs, once the macs have been issued with an initial kerberos ticket for the user's AD account (our KDC is Windows AD 2003). Safari just throws up an APM error page when the user connects with it saying, "Invalid Session ID: Your session may have expired." Checking the APM log even in debug mode doesn't show anything obvious for that session, you just see a message saying the session has been deleted, no kerberos processing begins.

 

On the client side, in a HTTP trace I see this:

 

Request GET /my.policy HTTP/1.1 Host: www.victoria.ac.nz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive Proxy-Connection: keep-alive Cookie: LastMRH_Session=77c8fbae; MRHSession=d5087e7f0252687cc231819f77c8fbae; TIN=272000; __utma=189107500.700714022.1406696059.1406696059.1406696059.1; __utmb=189107500.3.10.1406696059; __utmc=189107500; __utmz=189107500.1406696059.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Language: en-us Referer: http://www.victoria.ac.nz/ Accept-Encoding: gzip, deflate

 

Response HTTP/1.1 401 Unauthorized Server: Apache Content-Type: text/html; charset=utf-8 X-Frame-Options: DENY Pragma: no-cache Cache-Control: no-cache, must-revalidate Accept-Ranges: bytes Connection: close Date: Wed, 30 Jul 2014 04:54:09 GMT Content-Length: 335 WWW-Authenticate: Basic realm="staff.vuw.ac.nz" WWW-Authenticate: Negotiate Set-Cookie: LastMRH_Session=77c8fbae;path=/;secure Set-Cookie: MRHSession=ef9605c9ed0bca0206113f6077c8fbae;path=/;secure

 

Request GET /my.policy HTTP/1.1 Host: www.victoria.ac.nz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive Authorization: Negotiate key Snipped for securityYIIHXwYGKwYBBQUCoIIHUzCCB0+gITAfBgkqhkiG9xIBAgIGBiqFcCsOAwYKKwYBBAGCNwICCqKCBygEggckYIIHIAYJKoZIhvcSAQICAQBuggcPMIIHC6ADAgEFoQMCAQ6iBwMFAAAAAACjggYGYYIGAjCCBf6gAwIBBaERGw9TVEFGRi5WVVcuQUMuTlqiJTAjoAMCAQOhHDAaGwRIVFRQGxJ3d3cudmljdG9yaWEuYWMubnqjggW7MIIFt6ADAgEXoQMCAQSiggWpBIIFpdLbJ9FpJ//Bjl+ixeKwBjDZ/1uVgsnoQr4l+kqMazjtr/AILRjfY57mL4hSHX8EWgOObQ+6NlP=******** Proxy-Connection: keep-alive Cookie: LastMRH_Session=77c8fbae; MRHSession=d5087e7f0252687cc231819f77c8fbae; TIN=272000; __utma=189107500.700714022.1406696059.1406696059.1406696059.1; __utmb=189107500.3.10.1406696059; __utmc=189107500; __utmz=189107500.1406696059.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Language: en-us Referer: http://www.victoria.ac.nz/ Accept-Encoding: gzip, deflate

 

Response HTTP/1.0 302 Found Server: BIG-IP Connection: Close Content-Length: 0 Location: /my.logout.php3?errorcode=20 Set-Cookie: LastMRH_Session=77c8fbae;path=/;secure Set-Cookie: MRHSession=d5087e7f0252687cc231819f77c8fbae;path=/;secure

 

So it looks like Safari is presenting its Kerb ticket, but the F5 doesn’t like it.

 

Anyone got any clues?

 

Thanks,

 

Gavin

 

APM
kerberos
mac
safari
security
SSO

10 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 30, 2014

    At this point I would probably fire up WireShark and dig into the Kerberos tickets directly. I'd certainly agree that the Safari client is sending a Kerberos ticket, but it might be interesting to compare that to a working Kerberos ticket. Albeit unusual, the Safari client could be using an incorrect cipher.

     

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Aug 01, 2014

    with 401 challenge bigip sends Set-Cookie: MRHSession=ef9605c9ed0bca0206113f6077c8fbae path=/;secure

     

    but the client for the second get sends MRHSession=d5087e7f0252687cc231819f77c8fbae;

     

    according to your referers, you are on a HTTP scheme, http://www.victoria.ac.nz/ , which maybe why the client is not accepting sending the cookie back.

     

    what is you cookie option configuration in the APM policy definition ? is the secure checkbox checked ?

     

  • Gavin_Connell-O's avatar
    Gavin_Connell-O
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2014

    Hey guys,

     

    I has cookie secure set originally, and quickly tried 'un-setting' this but got the same result. I'll do what you suggest Kevin thanks. Comparing HTTP traces side by side should help explain what's going on. I'll also add an iRule to the virtual server to log all client side and server side request and response headers. Something interesting might pop up.

     

    It would be a real boost to be able to give our Mac users SSO on Safari. As I said, Chrome works fine, but as Safari is the default client, I really need to get it working if I can.

     

  • Gavin_Connell-O's avatar
    Gavin_Connell-O
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2014

    Hi all,

     

    Here's a log of a connection attempt using Safari, as seen in the APM log file with debug logging turned on. The process doesn't proceed to the 'Kerb Auth' negotiate branch in my access policy like it does with a functioning browser. Any clues here guys?

     

    Aug 5 15:20:44 slot1/ProdSAML1 notice tmm1[11234]: 01490506:5: 6a97fa9f: Received User-Agent header: Mozilla%2f5.0%20(Macintosh%3b%20Intel%20Mac%20OS%20X%2010_9_4)%20AppleWebKit%2f537.77.4%20(KHTML%2c%20like%20Gecko)%20Version%2f7.0.5%20Safari%2f537.77.4. Aug 5 15:20:44 slot1/ProdSAML1 notice tmm1[11234]: 01490544:5: 6a97fa9f: Received client info - Type: Mozilla Version: 1 Platform: MacOS CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1 Aug 5 15:20:44 slot1/ProdSAML1 notice tmm1[11234]: 01490500:5: 6a97fa9f: New session from client IP 130.195.246.56 (ST=Wellington/CC=NZ/C=OC) at VIP 130.195.2.22 Listener /Common/staff-o365-sso-vs (Reputation=Unknown) Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 74 Msg: Header received: GET /my.policy HTTP/1.1 client-session-id: edf3f149211a2db68de5553c6a97fa9f session-key: 3ec4d5b7049208ae2fb7e9b66a97fa9f profile-id: /Common/Office365-SSO session-id: 6a97fa9f snapshot-id: 18ff82d3c2ee1_34oooooooooooooooo cmp-pu: 1 Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 710 Msg: Received Session Id: "6a97fa9f" Aug 5 15:20:45 slot1/ProdSAML1 info apd[8333]: 01490006:6: 6a97fa9f: Following rule 'fallback' from item 'Start' to item 'IP Subnet Check' Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 303 Msg: variable "session.user.clientip" was not found in the local cache for session "6a97fa9f" Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.user.clientip to Session Var tmm.session.6a97fa9f.session.user.clientip Aug 5 15:20:45 slot1/ProdSAML1 info apd[8333]: 01490006:6: 6a97fa9f: Following rule 'VUW Subnet' from item 'IP Subnet Check' to item 'Client OS' Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 303 Msg: variable "session.client.platform" was not found in the local cache for session "6a97fa9f" Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.client.platform to Session Var tmm.session.6a97fa9f.session.client.platform Aug 5 15:20:45 slot1/ProdSAML1 info apd[8333]: 01490006:6: 6a97fa9f: Following rule 'MacOSX' from item 'Client OS' to item 'Mac-HTTP-401-Response' Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490011:7: 6a97fa9f: Logon agent: ENTER Function executeInstance Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490012:7: 6a97fa9f: Logon agent: LEAVE Function executeInstance Aug 5 15:20:45 slot1/ProdSAML1 info apd[8333]: 01490004:6: 6a97fa9f: Executed agent '/Common/Office365-SSO_act_HTTP_401_Response_1_ag', return value 3 Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.apd.id to Session Var tmm.session.6a97fa9f.session.apd.id Aug 5 15:20:45 slot1/ProdSAML1 info apd[8333]: 01490007:6: 6a97fa9f: Session variable 'session.apd.id' set to '1' Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.logon.page.customization.group to Session Var tmm.session.6a97fa9f.session.logon.page.customization.group Aug 5 15:20:45 slot1/ProdSAML1 info apd[8333]: 01490007:6: 6a97fa9f: Session variable 'session.logon.page.customization.group' set to '/Common/Office365-SSO_act_HTTP_401_Response_1_ag' Aug 5 15:20:45 slot1/ProdSAML1 debug apd[8333]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "setSessionInactive()" line: 852 Msg: 6a97fa9f: done with request processing Aug 5 15:20:45 slot1/ProdSAML1 notice tmm1[11234]: 01490501:5: 6a97fa9f: Session deleted due to user logout request.

     

  • Gavin_Connell-O's avatar
    Gavin_Connell-O
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2014

    Here's the APM log of a working connection using Windows and Internet Explorer. Have a look at the two lines at the end in bold.

     

    ./AccessPolicyProcessor/Session.h func: "setSessionInactive()" line: 852 Msg: a13f9d67: done with request processing

     

    is followed by

     

    AccessPolicyD.cpp func: "process_request()" line: 710 Msg: Received Session Id: "a13f9d67"

     

    but in the Mac session, the next line is

     

    7ba89460: Session deleted due to user logout request.

     

    and the user gets a log out APM page saying, "Your session could not be established. Invalid Session ID. The session may have expired"

     

    Is the APM session ID getting dropped somehow? Before the kerberos agent can process?

     

    Aug 5 14:56:19 slot1/ProdSAML1 notice tmm1[11234]: 01490506:5: a13f9d67: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%206.1%3b%20WOW64)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f36.0.1985.125%20Safari%2f537.36.

     

    Aug 5 14:56:19 slot1/ProdSAML1 notice tmm1[11234]: 01490544:5: a13f9d67: Received client info - Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1

     

    Aug 5 14:56:19 slot1/ProdSAML1 notice tmm1[11234]: 01490500:5: a13f9d67: New session from client IP 130.195.246.55 (ST=Wellington/CC=NZ/C=OC) at VIP 130.195.2.22 Listener /Common/staff-o365-sso-vs (Reputation=Unknown)

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 74 Msg: Header received: GET /my.policy HTTP/1.1 client-session-id: 47985462004dd7a5a0564d20a13f9d67 session-key: f796bf4ea09794c31c3419c7a13f9d67 profile-id: /Common/Office365-SSO session-id: a13f9d67 snapshot-id: 17872035831f42_29ooooooooooooooo cmp-pu: 1

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 710 Msg: Received Session Id: "a13f9d67"

     

    Aug 5 14:56:19 slot1/ProdSAML1 info apd[8333]: 01490006:6: a13f9d67: Following rule 'fallback' from item 'Start' to item 'IP Subnet Check'

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 303 Msg: variable "session.user.clientip" was not found in the local cache for session "a13f9d67"

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.user.clientip to Session Var tmm.session.a13f9d67.session.user.clientip

     

    Aug 5 14:56:19 slot1/ProdSAML1 info apd[8333]: 01490006:6: a13f9d67: Following rule 'VUW Subnet' from item 'IP Subnet Check' to item 'Client OS'

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 303 Msg: variable "session.client.platform" was not found in the local cache for session "a13f9d67"

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.client.platform to Session Var tmm.session.a13f9d67.session.client.platform

     

    Aug 5 14:56:19 slot1/ProdSAML1 info apd[8333]: 01490006:6: a13f9d67: Following rule 'Kerberized OS' from item 'Client OS' to item 'HTTP 401 Response'

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490011:7: a13f9d67: Logon agent: ENTER Function executeInstance Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490012:7: a13f9d67: Logon agent: LEAVE Function executeInstance

     

    Aug 5 14:56:19 slot1/ProdSAML1 info apd[8333]: 01490004:6: a13f9d67: Executed agent '/Common/Office365-SSO_act_HTTP_401_Response_ag', return value 3

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.apd.id to Session Var tmm.session.a13f9d67.session.apd.id Aug 5 14:56:19 slot1/ProdSAML1 info apd[8333]: 01490007:6: a13f9d67: Session variable 'session.apd.id' set to '1'

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.basicrealm to Session Var tmm.session.a13f9d67.session.basicrealm Aug 5 14:56:19 slot1/ProdSAML1 info apd[8333]: 01490007:6: a13f9d67: Session variable 'session.basicrealm' set to 'staff.vuw.ac.nz'

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 1160 Msg: Converted Var: session.logon.page.customization.group to Session Var tmm.session.a13f9d67.session.logon.page.customization.group

     

    Aug 5 14:56:19 slot1/ProdSAML1 info apd[8333]: 01490007:6: a13f9d67: Session variable 'session.logon.page.customization.group' set to '/Common/Office365-SSO_act_HTTP_401_Response_ag'

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "setSessionInactive()" line: 852 Msg: a13f9d67: done with request processing

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 710 Msg: Received Session Id: "a13f9d67"

     

    Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490011:7: a13f9d67: Logon agent: ENTER Function executeInstance Aug 5 14:56:19 slot1/ProdSAML1 debug apd[8333]: 01490012:7: a13f9d67: Logon agent: LEAVE Function executeInstance

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 05, 2014

    What I see is the policy following the Mac-HTTP-401-Response branch for the MAC client, and from there it simply dies. The 401 agent should be sending a 401 WWW-Authenticate header to the client, which should trigger the browser to prompt the user for credentials. If you have a client side capture running you should see this 401, the prompt, and then the request back to the server with an Authorization header containing the user's submitted credentials. I'm guessing if you look at this capture you'll see the 401 response but the client will not do anything with it.

     

  • Gavin_Connell-O's avatar
    Gavin_Connell-O
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2014

    Hi Kevin,

     

    We see the WWW-Authenticate header from the APM, and the negotiate response including the kerberos ticket going back to the F5. And then the session fails. You can see an example of the HTTP head/reponses in my first post. It's from a different access policy, but using essentially the same APM config and Mac client.

     

    Have you ever heard of Safari successfully participating in kerberos ticket exchange with the APM? Does the APM support using Safari? I don't want to spend forever digging deeply into this if it hasn't been proven to work.

     

    Gavin

     

  • RobLL_77876's avatar
    RobLL_77876
    Icon for Nimbostratus rankNimbostratus
    Aug 28, 2014

    There is a bug defect in Safari (All platforms) where a cookie set on a 302 redirect will not set the cookie. And it definitely manifests itself when performing 401 response auth rather than form based which works fine. By default on 11.3 and higher, session id rotation is enabled. So it will set a different cookie for each step in the access policy evaluation. It still ends in the same session id value (LastMRH_Session cookie is the same and the ending of the MRHSession cookie equal to the LastMRH_Session (SessionID) but different value before it). For example, Cookie: LastMRH_Session=07f180b2; MRHSession=6e28aa1fed2168da5f4636d507f180b2 AND Cookie: LastMRH_Session=07f180b2; MRHSession=3f28aa1eed1168da5e2346e407f180b2

     

    So when Safari receives the 302 to /my.policy, it sends the second set-cookie and Safari sends the first one again which is incorrect for the session. Thus an errorcode=20 which is most likely what you are seeing. To resolve that, disable session id rotation by the following db variable setting: tmsh modify sys db apm.rotatesessionid value disable tmsh save sys config

     

    You should at least get past the session invalid issue with this modification. Then you can concentrate on the kerberos authentication itself. I noticed when offered negotiate and basic, safari tried kerberos everyctime even if not quite confifured and then it would fail, then try basic auth in the same session. Not sure that an APM policy would allow a client to change from negotiate to basic in the same session so watch out for that since I believe it would follow one branch in the tree. But I am definitely curious of your results after you get by the session invalidation. Good Luck and please post an update of your results!