Forum Discussion
Yann_Desmarest
May 04, 2016Cirrus
APM retain the kerberos ticket that you already played and fallback to a 401 prompt as it doesn't allow to replay the same kerberos token multiple times. You have to clear your Authentication cache on the Browser side. We workaround this behavior by injecting a javascript code within the response to the client. Here is an example of javascript function that work : void(document.execCommand('ClearAuthenticationCache').
The issue is that Internet Explorer send the same kerberos token every time until you close your browser or remove the cache. And APM doesn't support it...
- f5learn_164388May 04, 2016NimbostratusThanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/questions/kerberos-and-ntlm-authentication-using-apm https://devcentral.f5.com/questions/kerberos-caching-option Thanks, ski
- Yann_DesmarestMay 07, 2016CirrusDon't try in 12.0.0, but I can confirm that this issue still exists in 11.6.0. Moreover, the workaround provided clear the credential caching only. But works for IE only :( For your information, we get this issue when the user authenticate using Kerberos, then logout and re-login fail because the same kerberos token is played on the client side and rejected by APM. If you trigger a different scenario, have a look at the Request Based Auth feature on the kerberos AAA object
- f5learn_164388May 13, 2016NimbostratusThanks, Yann for the comment. Yes, we faced the re-login failure issue as you mentioned. Will take a look at Request based Auth. The suggestion below from Michael is addressing this.