Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Oct 09, 2019

Invalid nonce error messages with mobile devices and F5 as SAML SP/IDP

Dear all,

I am wondering if someone has already successfully integrated mobile apps with F5 SP/IDP setup where SAML authentication is being used to the F5 login page.

Everything works just fine on laptops with Chrome browsers, however when we use mobile phones in this case Android with Chrome browser and applications published by Airwatch on the mobile phone we receive "invalid nonce" errors when connecting to the F5. The published applications actually open a Chrome browser tab when establishing a connection to F5 SP/IDP.

Now I installed a Fiddler proxy on my laptop to investigate and decrypt the traffic from the mobile phone and the Mobile phone is sending a request to /my policy and is providing the correct MRH cookie of the session, but F5 is responding with error page no nonce (hope you can see the image below) and the response we see that F5 is redirecting to /my.logout.php3?errorcode=21

   

 I believe the most closely bug match is and we see the same behavior with mobile phones only. We currently use 13.1.

https://cdn.f5.com/product/bugtracker/ID738148.html

https://support.f5.com/csp/article/K91172311

On the F5 LTM logs I enabled request logging and we can confirm the same, this is actually a sharepoint webserver hosted behind the F5 and we do pre SAML authentication to F5 IDP, so it acts as both SP with external IDP connector. Anyway this works seamless with desktops and Chrome browsers, but there seem to be compatibility issues between F5 SP/IDP SAML and mobile phones.

Line 113718: Oct  7 22:23:22 BEVMPSYSCAD11 info tmm[18851]: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 198.143.43.22063786 request URL is GET myf5website/my.policy and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0
	Line 113720: Oct  7 22:23:23 BEVMPSYSCAD11 info tmm[18851]: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 198.143.43.22063790 request URL is GET myf5website/my.policy and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0
	Line 113721: Oct  7 22:23:23 BEVMPSYSCAD11 info tmm[18851]: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 198.143.43.22063784 request URL is GET myf5website/my.logout.php3?errorcode=21 and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0

So the above F5 article states the following when this occurs:

This message occurs when the following condition is met:

A client logging in to a BIG-IP APM resource provides an invalid value (cryptographic nonce) when attempting to establish the session.

Note: A cryptographic nonce (number used once) is a random or pseudo-random number that is used in authentication protocols, such as HTTP digest authentication. Generated nonce values should be sufficiently random to ensure they are not repeated in order to prevent replay attacks and session hijacking. The Invalid Nonce message indicates that a cryptographic value that the client provided to the BIG-IP APM system is not valid.

So hope anyone here got the same issues because there is not a solution for this known "bug" yet and I would like to find out what is happening here.

Thanks,

Marvin

11 Replies

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus

    For your information there is no Airwatch VPN, the mobile phone connects directly to F5 SP/IDP, Airwatch is only used to publish the APPS on the mobile phone

  • Hey Marvin, can you test going to a webtop in the rule? Then clicking on the configured SAML app?

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus

      Hi Shawn, We don't use webtops at all on F5, all is SP initiated going to F5 IDP or just plain HTTP going directly to F5 configured as the SP itself. Why do you mention this, could you give me some more background information please?

      • Marvin's avatar
        Marvin
        Icon for Cirrocumulus rankCirrocumulus

        For this policy the first step is SAML auth to F5 SP which connects to external IDP connector on the F5.

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus

      This is just a Airwatch created APP this launches Android Chrome browser and connects to F5 SP for authentication. Behind F5 there is a Sharepoint application. So its not a "real" APP

    • Shawn_Conway's avatar
      Shawn_Conway
      Icon for Cirrus rankCirrus

      yes i would think so. they may want to update to at least 14 though. we had some issues with the outlook client and ended up using the a canned irule "_sys_APM_MS_OFFICE_Support" but we have it go through APM