cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP::Cookie iRule Empty after Access Policy

RobertJuric
Nimbostratus
Nimbostratus

I have a virtual server with an access policy for Kerberos authentication. After Kerberos authenticates, we perform an AD query and then insert a cookie with an AD attribute for the back-end server.

 

We recently needed to add a fail-back authentication method, so if Kerberos fails we show a login page with RSA authentication. All of that works, but when the cookie is created after a successful RSA authentication the variable in the cookie is empty. The cookie is created, but is always empty unless Kerberos is successful.

 

when HTTP_RESPONSE {    log local0. "HTTP RESPONSE"    HTTP::cookie insert name "REMOTE_USER" value "[ACCESS::session data get "session.ad./Common/testapp_act_active_directory_query_ag.attr.sAMAccountName"]" path "/" }
3 REPLIES 3

boneyard
MVP
MVP

i assume because the Kerberos authentication does AD query for you.

 

if you add the AD query VPE after the RSA authentication you should be fine.

RobertJuric
Nimbostratus
Nimbostratus

I already have an AD query after the authentication methods, as I wasn't aware the Kerberos did an AD query.

 

When testing the RSA authentication, the session log shows all the AD attributes, but it isn't added to the cookie. I wasn't sure if they possibly had different names or if the HTTP_RESPONSE event was happening before the AD query.

boneyard
MVP
MVP

ah, didnt know there was an AD query already, disregard my remark on Kerberos auth doing that then, assumption on my part.

 

so the AD query does have the username to work with when doing just RSA auth? you say you see all attributes, and sAMAccountName is on the same variable like shown above? the /Common/ in there looks strange to me, but i havent seen everything of course.

 

have you tried logging the value in the iRule to see if it is just not there or something else?