Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Activesync APM Client Certificate authentication - Basic authentication password prompts

Hi,

we are trying to implement a new MDM solution.

We configured Kerberos Constraint Delegation on F5 APM module and use the client certificate to extract from "UPN" the username and domain information. This seems to work quite well except that we get from time to time a "Basic authentication" password prompt on iOS devices. It is not important what the user enters, some random characters and Kerberos authentication begins to work.

I searched a lot on DevCentral and Google, but did not find any precise answer how to remove this password prompt.

All the resources say that you should remove any "401 response headers" in the iRule "_sys_APM_activesync". If I do that, no mail is coming in and I think because there is no more authentication done in the APM module. Same behaviour if using iRule "_sys_APM_ExchangeSupport_OA_BasicAuth". I tried even using the "iApp Exchange 2013", but even after only publishing ActiveSync and modifying in the VPE to accept client certificates was not successful.

I found this resource on DevCentral but no indication about how to implement the iRule to remove the password prompt. https://devcentral.f5.com/questions/issue-with-apm-activesync-cert-auth

Here is what is configured:

LTM:

  • Standard VirtualServer with attached "_sys_APM_activesync" iRule
  • Client SSL Profile with enabled ==> "Client authentication ==> Require"
  • APM Profile attached ==> description below

APM Profile:

  • Result from SSL Client profile in "Client inspection"
  • Extract "username & domain" information from UPN using 3 TCL expressions
  • SSO Credential Mapping
  • Attach SSO Kerberos Configuration to get Kerberos tickets from DC

Could someone help me to sort out this problem with the password prompt?

Kind regards,

Gilles

0
Rate this Question
Comments on this Question
Comment made 12-Aug-2016 by Gilles 106

Does nobody has an idea how to resolve the problem or any hints how to start?

Kind regards,

Gilles

0
Comment made 16-Aug-2016 by Nathaneil0227 410

Gilles hi,

What kind of MDM are you using? Meaning Vendor.

Thanks

-Nat

0
Comment made 16-Aug-2016 by Gilles 106

Hi Nat,

we would like to use Airwatch. Airwatch configuration is used to send policy to iOS devices with Client Certificate authentication enabled.

Kind regards,

Gilles

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

the person in the other question just mentions he removed the sending of the 401 part in any attached iRules. you tried that i believe but it doesn't work. can you post your modified irule(s)?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, thanks for your reply.

I tried multiple modifications the last days, but nothing worked as expected.

Here is the iRule I modified. It is the default _sys_APM_activesync. I commented the whole "Only Basic authentication" out, but I'm not sure if it is ok. The part about "append user_key $apm_username". I deleted the "$user_hash" part.

About the general working of client cert auth ==> F5 APM ==> Kerberos SSO, I have problems to understand why Kerberos is working, but the iOS device does however gets from time to time "401 response". Kerberos Token exists and I can enter random characters, mails sync as expected even with wrong password. So Kerberos needs to work correctely. APM log is not so verbose any more in "Debug" mode in 12.1 as I saw on articles on the net from older versions. I set SSO log to Debug, but no information if Kerberos ticket has been received or not.

Here is the modified iRule:

when RULE_INIT {
    set static::actsync_401_http_body   "<html><title>Authentication Failed</title><body>Error: Authentication Failure</body></html>"
    set static::actsync_503_http_body   "<html><title>Service is not available</title><body>Error: Service is not available</body></html>"
    set static::ACCESS_LOG_PREFIX       "01490000:7:"
}
when HTTP_REQUEST {
    set http_path                       [string tolower [HTTP::path]]
    set f_clientless_mode               0

    if { $http_path == "/microsoft-server-activesync" } {
    }
    elseif { $http_path == "/autodiscover/autodiscover.xml" } {
        set f_auto_discover 1
    }
    else return

    if { ! [ info exists src_ip ] } {
        set src_ip                            [IP::remote_addr]
    }
    if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } {
        set PROFILE_RESTRICT_SINGLE_IP        1
    }
    # Only allow HTTP Basic Authentication.
    #set auth_info_b64enc                ""
    #set http_hdr_auth                   [HTTP::header Authorization]
    #regexp -nocase {Basic (.*)} $http_hdr_auth match auth_info_b64enc
    #if { $auth_info_b64enc == "" } {
    #    set http_hdr_auth ""
    #}

    #if { $http_hdr_auth == "" } {
    #    log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX Empty/invalid HTTP Basic Authorization header"
    #    HTTP::respond 401 content $static::actsync_401_http_body Connection close
    #    return
    #}

    set MRHSession_cookie               [HTTP::cookie value MRHSession]
    # Do we have valid MRHSession cookie.
    if { $MRHSession_cookie != "" } {
        if { [ACCESS::session exists -state_allow -sid $MRHSession_cookie] } {
            log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie"
            # Default profile access setting is false
            if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {
                return
            }
            elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie "session.user.clientip" ] ] } {
                log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX source IP matched"
                return
            }
            else {
                log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX source IP does not matched"
            }
        }
        else {
            log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie"
        }
        set MRHSession_cookie ""
        HTTP::cookie remove MRHSession
    }

    set apm_username                    [ string tolower [HTTP::username] ]
    #set apm_password                    [HTTP::password]

    #if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {
    #    binary scan [md5 "$apm_password$"] H* user_hash
    #} else {
    #    binary scan [md5 "$apm_password$src_ip"] H* user_hash
    #}
    set user_key {}
    #append user_key $apm_username "." $user_hash
    append user_key $apm_username
    #unset user_hash

    set f_insert_clientless_mode    0
    set apm_cookie_list             [ ACCESS::user getsid $user_key ]
    if { [ llength $apm_cookie_list ] != 0 } {
        set apm_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ]
        if { $apm_cookie != "" } {
            HTTP::cookie insert name MRHSession value $apm_cookie
        } else {
            set f_insert_clientless_mode 1
        }
    } else {
        set f_insert_clientless_mode 1
    }

    if { $f_insert_clientless_mode == 1 } {
        HTTP::header insert "clientless-mode" 1
        #HTTP::header insert "username" $apm_username
        #HTTP::header insert "password" $apm_password
    }
    unset f_insert_clientless_mode
}
when ACCESS_SESSION_STARTED {
    if { [ info exists user_key ] } {
        ACCESS::session data set "session.user.uuid" $user_key
        ACCESS::session data set "session.user.microsoft-exchange-client" 1
        ACCESS::session data set "session.user.activesync" 1
        if { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {
            set f_auto_discover 0
            ACCESS::session data set "session.user.microsoft-autodiscover" 1
        }
    }
}
when ACCESS_POLICY_COMPLETED {
    if { ! [ info exists user_key ] } {
        return
    }

    set policy_result [ACCESS::policy result]
    switch $policy_result {
    "allow" {
    }
    "deny" {
        #ACCESS::respond 401 content $static::actsync_401_http_body Connection close
        ACCESS::session remove
    }
    default {
        ACCESS::respond 503 content $static::actsync_503_http_body Connection close
        ACCESS::session remove
    }
    }

    unset user_key
}

What is also strange is the speed of connecting to F5 when synchronizing mails but this can be because of the F5 lab license. It looks like iOS device is taking a long time to connect or some requests that are not validated correctely. I will try on out PROD environment as soon as I do not get any password prompts.

I also put the apm log /debug mode about Kerberos authentication.

Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0044:7: /Common/Profile_APM_Airwatch:Common:cc692397: metadata len 397
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0044:7: /Common/Profile_APM_Airwatch:Common:cc692397: metadata len 397
Aug 13 23:05:43 labo-bigip-n1 info websso.3[4819]: 014d0011:6: /Common/Profile_APM_Airwatch:Common:cc692397: Websso Kerberos authentication for user 'user1' using config '/Common/Kerberos_Domain'
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0046:7: /Common/Profile_APM_Airwatch:Common:cc692397: adding item to WorkQueue
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0018:7: /Common/Profile_APM_Airwatch:Common:cc692397: ctx:0x8d896a0 server address = ::ffff:10.10.10.10
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0021:7: /Common/Profile_APM_Airwatch:Common:cc692397: ctx:0x8d896a0 SPN = HTTP/exch2013-3.example.com@EXAMPLE.COM
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0023:7: S4U ======> /Common/Profile_APM_Airwatch:Common:cc692397: ctx: 0x8d896a0, user: user1@EXAMPLE.COM, SPN: HTTP/exch2013-3.example.com@EXAMPLE.COM

I hope this explains a little which problem I'm facing.

Kind regards,

Gilles

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

the modified iRule did not work. I still receive regularly 401 password prompts? Do you have an idea why these changes occur? When I disable all 401 requests, it seems to me that cert auth does not work either?

Kind regards,

Gilles

0
Comments on this Answer
Comment made 16-Aug-2016 by boneyard 5579

cert auth shouldn't need 401, cert auth works differently, the client just always sends the cert. 401 is meant for HTTP auth in some form.

can you see if the 401 comes from your irule or from another one, the other question suggested multiple irules were involved.

0
Comment made 17-Aug-2016 by Gilles 106

Yes, I'm aware of this. I finally found a way to remove the password prompts. I was related to the "OPTIONS" calls from the device where my iOS device seems to hang around.

I added as suggested in the post from "R Marc" (https://devcentral.f5.com/questions/issue-with-apm-activesync-cert-auth) a static "OPTIONS" response from F5 to Exchange. This seems to have solved the problem. It is now 4 hours ago that I did the modifications in the iRule and I got no "Password Prompts" since then. So it looks ok.

The only concern I still have is that the "PUSH" of new mails does not look like it is working when the iPhone is locked. I'm not understanding still why the "PUSH" of new mails does not work.

But the problem of the "Password Prompt" is maybe solved.

Kind regards,

Gilles

0
Comment made 10-Nov-2016 by Ali Khan 57

Hi Gilles, We are in a similar situation with a client. What did you do to add static OPTIONS response? Did you amend the _sys_APM_activesync ? Can you please help explaining how you configured the OPTIONS response? Regards, Ali

0
Comment made 29-Dec-2016 by chrisf5az 1

I'm also wondering on the specific options calls if possible. the post from R Marc is all messed up formatting wise.

0
Comment made 29-Dec-2016 by Gilles 106

Hi,

we will reconfigure the MDM - F5 setup in 2 weeks as our test licenses are not valid anymore. But I will come back to you with an update as soon as possible.

Kind regards,

Gilles

0
Comment made 04-Jan-2017 by chrisf5az 1

Hello Giles, Would you mind pasting in the iRule you ended up using? (I'm a bit under the gun with regards to a deadline and we are experiencing this exact problem many thousands of users).
I have the below from Marc's post but just wanted to see if its what you used.

when HTTP_REQUEST {
        set http_path                       [string tolower [HTTP::path]]
        set f_clientless_mode               0
        if { 
           [HTTP::method] equals "OPTIONS" 
           } { 
           HTTP::respond 200 -version 1.1 noserver Cache-Control "private" Allow "OPTIONS,POST" Server "Microsoft-IIS/8.5" MS-Server-ActiveSync "14.3" MS-ASProtocolVersions "2.0,2.1,2.5,12.0,12.1,14.0,14.1" MS-ASProtocolCommands "Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert" Public "OPTIONS,POST" X-AspNet-Version "4.0.30319" X-Powered-By: "ASP.NET" Content-Length 0 
           }
   
        if { $http_path == "/microsoft-server-activesync" } {
        }
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Gilles,

Have you been able to resolve the password prompt issues with the above modifications to the iRule?

Did you try to use the Exchange 2013 iApp and get it to work with the Exchange Profile that the iApp creates. I have a similar problem and based on some reading it looks like the _sys_APM_activesync iRule is kept for backward compatibility, but is no longer recommended. The F5 recommended way to go for ActiveSync and other Exchange services (e.i. OWA, AutoDiscover, etc) is to attach an exchange profile to the Access Policy. Exchange profile is configured under Access Policy -> Application Access -> Microsoft Exchange. When doing it this way however I am forced to configure a password on the AirWatch ActiveSync profile that is deployed to iOS devices. If no pwd is entered in the profile users get prompted.4

Thanks

0
Comments on this Answer
Comment made 13-Sep-2017 by The-messenger 359

Bump on this. Have you, anyone else, been able to resolve. I'm also working on client cert auth for ActiveSync, getting the certificate from AD, via AirWatch. I haven't read clear information on how to edit the activesync irule for this.

Don't you need clientlessmode set to 1?

0