APM Policy Error when logging in "Session cannot be established"
I am having an issue with APM I am hoping someone can help me with. I currently have a fairly basic policy setup using an external logon page. It then checks two domains to see if the user is part of either of those domains. I created a custom ending that redirects to the user back to the logon page if they are unable to be authenticated, and checked the box to close session data after redirect. The problem I am running into is it seems that if the user enters an incorrect password it brings them back to the logon page but no matter if they enter the correct password or an incorrect password they get the error: "Your session could not be established. BIG-IP can not find session information in the request. This can happen because your browser restarted after an add-on was installed. If this occurred, click the link below to continue. This can also happen because cookies are disabled in your browser. If so, enable cookies in your browser and start a new session." Anyone have any ideas on why the user cannot login the second time around?
APM Access Policy - Pass LDAP or AD Query variable
Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.-expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>". Is it also possible to have another path where the lack of a value for theexpr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url? Any assistance would be greatly appreciated!
F5 webmail exchange 2016 - "Access policy evaluation is already in progress for your current session."
We recently moved over to outlook 2016. Users that are on 2010 connect fine and never have an issue. the new users that have moved over to 2016 mailboxes get the error message above in the title. When they connect, they get the following addons to their URL: ?bO=1 sessiondata.ashxappcacheclient=1&acver=15.1.1591.8&crr=1 I have tried irules from the following devcentral questions and answers with no success: Access policy evaluation is already in progress for your current session How to avoid "Access policy evaluation is already in progress" - (irules from matt, Misty Spillers & Stanislan Piron tested and didn't help) If i have users open a browser in "InPrivate Browsing" or "Incognito" mode, they don't get the error. I have also tried the windows_10_anniversary_fix as well as all the irules on page 76 of the iapp deployment guide for exchange 2016. Deployment guide stuff i tested and doesn't work: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } and tried this: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } } I have a ticket open with F5 but they are saying oh just check the guide. not helpful. Hoping someone from the community can help me. thanks in advance!
Branch evaluation fails with Rule evaluation error: invalid command name "session.logon.last.username"
Hopefully somebody is able to enlighten me, I have the code below in a branch rule expression of an AD Query element. I get an 'Rule evaluation failed with error: invalid command name "session.logon.last.username"' error. The purpose is to translate an email entered to the matching AD logon username from AD. The AD query succeeds (mail=%{session.logon.last.username}). It looks like the variable assign element is not able to change the session.logon.last.username variable. if { [mcget {session.ad.last.queryresult}] == 1 } { session.logon.last.username = mcget {session.ad.last.attr.sAMAccountName}; return 1; }; return 0; Thanks for sharing your thoughts / ideas.
APM Active Directory Trusted Domains - how to use?
Hi, I checked all docs and community but can't figure out how this feature works. Let's assume we have two AD AAA servers defined: DomainA - no trust with DomainB DomainB - no trust with DomainA Then there is Active Directory Trusted Domains object created containing both AD AAA servers, with DomainA set as root - named TrustedAB. In Access Policy AD Auth object is configured like that: Server: None Trusted Domains: TrustedAB Cross Domain Support: Enabled In Logon Page object Split domain from full Username is set to Yes. I expected that based on value in session.logon.last.domain AD Auth will be smart enough to choose correct AD AAA srv from included in Trusted Domains. But it's not the case. AD Auth is sending KRBR request to AD AAA Srv defined as Root in selected Trusted Domains object. Realm in request is set to DomainA When targeted server replies with wrong realm error process is finished and authentication fails. When there is two way forest trust between DomainA and DomainB then target AD srv replies with Kerberos referral placing DomainB in crealm parameter. Then AD Auth performs new KRBR request to Domain B AD AAA Srv and authentication works. So how exactly Active Directory Trusted Domains works and when it makes sense to use it? For sure not when all Domains have two way (or even one way) tust configured - in this case setting one AD AAA Srv end enabling Cross Domain Support is enough. Piotr
Basic Machine Cert inspection in APM Policy
Hi Guys Just a newbie question here I guess. I need to setup a basic Machine Cert Auth action in my access policy. I've read the documentation but it just describe it, just not naming conventions etc. I've checked my PC and I get a valid machine certificate and its stored in Certificates (Local Computer)\Personal\Certificates. Its a valid machine cert issued to the machine with the correct FQDN and issued by my Subordinate CA. In the Machine Cert Auth action, I'm not sure what to name the Certificate Store. I've tried personal and personal\certificates but I'm not sure if its actually finding the certificate. Certificate Store Location is LocalMachine. CA Profile is /Common/certificateauthority (all default settings - can't seem to select a valid CA cert inside this profile it just keeps resetting to none) OCSP Responder is None Certificate Match Rule SubjectCN Match FQDN It doesnt need to be fancy just yet. All I want it to do is check that it has a valid machine cert issued from our internal CA and that it hasn't expired. THen it passes on to the next auth method. No idea where to start really, the only error I can see if the reports is machinecert_auth_ag.result -2 I can't even tell if the policy is finding the certificate. HELP!? :)
Copy Access Policies to a different partition
Is it possible to copy Access Policy between different partition ? From the GUI, the Copy function only works to copy the policy to the same partition. I have tried the Export function to export the configuration then select the target partion and select the Import function. This doesn't work either. I am running BIG-IP v11.3.0 (Build 3093.0) Adrian
Explicit proxy and client NTLM
Hi, I am pretty sure it is easy and possible but can't figure out how. I have user logged to domain, explicit proxy is configured on LTM, user browser is pointed to proxy IP. I would like to avoid separate login when first time accessing proxy. I tried to set it up based on article about client NTLM but it fails, so I think it's a bit different for proxy than for accessing directly some sites. In Access Profile (type SWG-Explicit) there is option to choose NTLM Auth configuration created before (option NTLM Auth Configuration). I did that, now there is question what to choose for User Identification Method - if i can recall options are htto (maybe IP) or credentials - or it is not important in case of explicit proxy? What should be placed in Access Policy? First 407 response then NTLM Auth Result, then for successful Allow? I wonder if in this case assigning eca profile (and iRule enabling it) to the VS configured as explicit proxy is necessary - I suspect that probably not, and doing so could be main issue? That step was in Configuring APM Client Side NTLM Authentication but is that necessary for proxy? Piotr
