Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

HTTP::Cookie iRule Empty after Access Policy

RobertJuric
Nimbostratus
Nimbostratus

‎18-Jun-2020 08:13 - last edited on ‎04-Jun-2023 21:24 by Fog

I have a virtual server with an access policy for Kerberos authentication. After Kerberos authenticates, we perform an AD query and then insert a cookie with an AD attribute for the back-end server.

We recently needed to add a fail-back authentication method, so if Kerberos fails we show a login page with RSA authentication. All of that works, but when the cookie is created after a successful RSA authentication the variable in the cookie is empty. The cookie is created, but is always empty unless Kerberos is successful. 

when HTTP_RESPONSE {
   log local0. "HTTP RESPONSE"
   HTTP::cookie insert name "REMOTE_USER" value "[ACCESS::session data get "session.ad./Common/testapp_act_active_directory_query_ag.attr.sAMAccountName"]" path "/"
}
Labels:
0 Kudos
3 REPLIES 3

boneyard
MVP
MVP

‎22-Jun-2020 10:17

i assume because the Kerberos authentication does AD query for you.

 

if you add the AD query VPE after the RSA authentication you should be fine.

0 Kudos

RobertJuric
Nimbostratus
Nimbostratus

‎22-Jun-2020 10:36

I already have an AD query after the authentication methods, as I wasn't aware the Kerberos did an AD query.

 

When testing the RSA authentication, the session log shows all the AD attributes, but it isn't added to the cookie. I wasn't sure if they possibly had different names or if the HTTP_RESPONSE event was happening before the AD query.

0 Kudos

boneyard
MVP
MVP

‎22-Jun-2020 10:50

ah, didnt know there was an AD query already, disregard my remark on Kerberos auth doing that then, assumption on my part.

 

so the AD query does have the username to work with when doing just RSA auth? you say you see all attributes, and sAMAccountName is on the same variable like shown above? the /Common/ in there looks strange to me, but i havent seen everything of course.

 

have you tried logging the value in the iRule to see if it is just not there or something else?

0 Kudos
Copyright © 2023 Khoros, LLC