Kevin,
Many thanks for your reply.
First for the dumb question, do I need to set the internal APM to clientless-mode in some way or is that already done in the iRule?
From what I read when APM is in clientless-mode you can't have a logon page....this presents a challenge as the internal APM currently has a policy which has:
Logon Page (Heavily customised with warnings/info etc) > AD Auth > SSO Mapping > Full Resource Access (Portal Access).
The APM at the edge has no access to the AD for auth and does RSA SecurID auth (e.g. users have to authenticate twice, once to RSA at the edge, then get the customised logon page with AD auth on the internal APM).
Is what you are suggesting to construct the customised logon page on the edge device to capture the AD credentials which would then be passed to the backend APM policy to authenticate?
Ideally I don't want to have to use clientless mode on the internal APM as then I could potentially use the VS/APM policy as is presented to internal users.
HAving said that this is what i tried:
Added a "Logon Page" to the end of the Edge APM policy to capture username/password Ammended the front end iRule to include:
This is the data that will be passing to the internal APM - define HTTP headers and values here
set apmsessionuser [ACCESS::session data get "session.logon.last.username"]
set apmsessionpass [ACCESS::session data get "session.logon.last.password"]
HTTP::header replace AGUSER $apmsessionuser
HTTP::header replace AGPASS $apmsessionpass
Removed the Logon page from the internal APM policy Ammended the internal iRule to include:
The authenticated user data is being transmitted from the external APM via HTTP headers. This section
extracts those values and inserts them back into APM access policy session variables for use by the
server side authentication process.
if { [HTTP::header AGUSER] ne "" } {
ACCESS::session data set session.logon.last.username [string trim [HTTP::header AGUSER]]
if { [HTTP::header AGPASS] ne "" } {
ACCESS::session data set session.logon.last.password [string trim [HTTP::header AGPASS]]
}
}
However I get is "Your session is finished. Logged out succesfully".
If I look at the list of sessions on the back-end it is correctly showing the username captured in that second logon page so that is coming across, but in the Access report the username deoesn't show and the report is as follows:
2014-01-16 18:16:09 Following rule 'fallback' from item 'Start' to item 'AD Auth' Common
2014-01-16 18:16:09 AD agent: ENTER Function executeInstance Common
2014-01-16 18:16:09 AD module: ENTER Function authenticateUser Common
2014-01-16 18:16:09 AD module: authentication with '' failed: empty password detected (-1) Common
2014-01-16 18:16:09 AD module: authenticate(): empty password detected (-1) Common
2014-01-16 18:16:09 AD module: LEAVE Function authenticateUser Common
2014-01-16 18:16:09 AD agent: Auth (logon attempt:0): authenticate with 'testuser' failed Common
2014-01-16 18:16:09 AD agent: LEAVE Function executeInstance Common
2014-01-16 18:16:09 Executed agent '/Common/InternalPortal-Test_act_active_directory_ag', return value 0 Common
2014-01-16 18:16:09 Following rule 'fallback' from item 'AD Auth' to ending 'Deny' Common
2014-01-16 18:16:09 Access policy result: Logon_Deny
So the 'testuser' is coming across in the iRules....
Any further ideas/suggestions would be very much appreciated.