APM session username/password vars not copied in from iRule? Not showing in session report, and auth always fails
I am setting up a clientless mode policy for a web service, where the caller passes in a basic auth header, and I want to pass the provided username/password into the policy. The iRule I'm using to do this is as follows: when HTTP_REQUEST { HTTP::header insert "clientless-mode" 1 if { not ( [HTTP::header exists Authorization] ) } { HTTP::respond 401 WWW-Authenticate "Basic realm=\"FISERV Credentials\"" return } if { [HTTP::username] eq "" or [HTTP::password] eq "" } { HTTP::respond 401 WWW-Authenticate "Basic realm=\"FISERV Credentials\"" return } log local0. "In HTTP_REQUEST, FISERV Username [HTTP::username], pw [HTTP::password]" } when ACCESS_SESSION_STARTED { log local0. "In APM session, FISERV Username [HTTP::username], pw [HTTP::password]" ACCESS::session data set session.logon.last.username [HTTP::username] ACCESS::session data set session.logon.last.password [HTTP::password] } (Sorry, can't figure out how to do a clean code block). The LTM log shows the correct HTTP vars, in both events in the iRule. In the policy, i have a logging agent that dumps session.logon.*, but last.username and last.password are never present (the only session.logon vars shown are captcha.tracking, page.errorcode, and page.challenge, all blank). And my local user db auth agent always denies access, going down the "locked out" branch (even though the user is not locked out per the local user DB info elsewhere in the APM menues). I get the following errors associated with the auth attempt: "unable to decrypt user password due to invalid ciphertext" "Login for user FISERV, instance /Common/ESB-Fiserv rejected - Account locked out." Again, the account doesn't show as locked out, and attempts is 0. This is on 11.5.1HF5. Thoughts? Suggestions on how to debug? Should I put in a var assignment agent in the policy, and if so, how to I acccess the HTTP vars in that context? thx!client certificate authentication - continued
I've been working on an APM policy to use client cert auth (no login page/no password) for Exchange ActiveSync. I think my session is successful but this isn't right and I'm not sure that Exchange is actually accepting this. Here's a snip of a session. The domain name is set, the entries metatdata len 351 and "Could not find SSO domain, check variable assign agent setting" will continue to repeat throughout the session. VPE
Send 401 response instead of redirecting to /vdesk/hangup.php3 page if credentials are invalid
I currently have an LTM-APM access policy setup to prompt the user for credentials, complete an AD auth and send them on to the backend server that hosts an api. I do have clientless-mode enabled via an iRule on the virtual server. Our scenario is as follows: User has an app on their device that will save credentials to be passed with the request for data from our API/Restful site. If the user's password expires the api site should respond back with a 401 response in which case the app will then prompt for the users username/password again, but the APM redirects them to /vdesk/hangup.php3. Does anyone have any suggestions on what to try here to get the 401 response if the credentials are incorrect? Current policy Thanks in advance.
