cancel
Showing results for 
Search instead for 
Did you mean: 

uwebbrowserparser.cpp, UWebBrowserParser::DocumentComplete

pasha
Altostratus
Altostratus

Hello,

We are having an issue with our F5 Edge Client that produces a popup each time from Microsoft to authenticate (pick a user). These machines are hybrid joined to Azure and nothing is triggering an Azure conditional access policy to force it to reauthenticate.

What we have noticed is that if we sign in to the F5 via the MS Edge web browser (in Compatibility mode), sign out, and then use the F5 Edge client to sign back in again, we are not prompted to authenticate (this is the desired state).

When I look at the logs on the F5 Edge Client I see an entry for APPCTRL uwebbrowserparser.cpp, UWebBrowserParser::DocumentComplete that appears to do the rendering of the Authentication webpage.

Assuming this is doing the browsing/rendering of the authentication webpage, my question is, how is this able to pass my credentials automatically if I login via the webbrowser prior to, but not if I reboot, restart the F5 Edge application, or disconnect/reconnect?

Any help or guidance would be appreciated. Thanks very much.

4 REPLIES 4

You have not provided a lot of info what F5 article you have followed to make the authentication seemless and what authentication you are using.

 

Maybe try to upgrade the F5 Edge client to te final version as it sounds to me that the F5 Edge Client is not honoring the persistant cookie option in Azure AD:

 

https://techdocs.f5.com/en-us/apm-f5-access/apm-f5-access-windows-10-using-intune/c_f5_access_window...

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...

 

It could be good to investigate from the Azure AD logs as why when the connection commes from the Edge Client and not a browser if there is an issue asking for reauthentication.

 

Also maybe the F5 Edge client by design may not keep any persistant cookies but this is something that maybe F5 TAC can tell.

 

 

Edit:

 

Also I found it interesting that the Edge Client as you say is trying to use its native embeded web browser and not opening Chrome or other browser to display the SAML loging page as this will be much better:

 

https://community.f5.com/t5/technical-articles/vpn-access-with-mfa-using-edge-client-7-2-1-and-apm-1...

 

Other thing that you can check if " ForceAuthn" is set:

 

https://support.f5.com/csp/article/K55489557

Thank you for your response.

We are using the most recent F5 client. And yes I agree with you regarding the Edge Client using the native embedded browser vs. system default browser. I beleive this is the root cause of the issue. However, I looked at the Okta link you pasted and I'm not seeing where it mentions the setting to use the system default browser on the Edge Clients. 

What is your Edge client version as it could be a bug using the embedded browser?  Also look at this link and supplement articles as a browser plug-in should be installed with the edge client installation https://support.f5.com/csp/article/K99054837

Edge Client is 7221,2022,412,1126 (I think that is the latest available?)

And yes, I agree it could be a bug (or some kind of incompatibility) with the embedded browser. The embedded browser is running a legacy version of IE10/11 rendering engine. I'm still not clear how to get the client to open the system default browser instead. The link pasted suggests that F5 is telling users to only go through the web browser to connect instead of using the Edge Client. We still want to leverage the Edge Client but have it open the system default browser instead of the embedded browser.