Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 APM Kerbebros SSO Issue : Firefox keep using basic auth

I'm currently trialling APM for Kerberos Single Signon and I've setup Kerberos SSO with AD auth as backup.

  • The authentication tested and work successfully on IE and Chrome
  • I'm having difficulties with Firefox since it prompt user for username / password.
  • Firefox has been setup to perform seamless login:

    network.automatic-ntlm-auth.trusted-uris & network.negotiate-auth.trusted-uris has been configured

  • I can visit other site that do single sign on without firefox asking for password

  • If I click '*_cancel_*' when prompted for username / password, I get can get through and my username is showing up on the backend application

Access Policy 401 Config

How do I configure APM to try Negotiate first and then fallback to Basic Auth?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

That is an interesting find. It would seem that while most browsers will choose the more secure option, versions of Firefox will choose the first specified option. That's complicated by the fact that the APM 401 agent doesn't allow you to specify an order. Basic is always the first in the list. :(

Thankfully there are other options.

While not the prettiest thing in the world, if you put an LTM VIP in front of the APM VIP, you can control APM's 401 response with an iRule.

  1. Create your APM VIP as a simple, HTTP-based, port 80 virtual listening on an internal IP address - an address that is NOT accessible to users - and apply your access policy as usual.

  2. Create your LTM VIP for external user access, HTTP profile, port 443 and client SSL profile as required, and the following iRule:

    when HTTP_REQUEST {
        virtual MY_APM_VS
    }
    when SERVER_CONNECTED {
        TCP::collect
    }
    when SERVER_DATA {
        if { ( [TCP::payload] contains "401 Unauthorized" ) and ( [TCP::payload] contains "WWW-Authenticate: Basic realm=" ) } {
            set hdr_basic [findstr [TCP::payload] "WWW-Authenticate: Basic realm=" 30 "\r\n"]
            set hdr_basic_txt "WWW-Authenticate: Basic realm=${hdr_basic}"
    
            regsub -all -nocase "WWW-Authenticate: Negotiate" [TCP::payload] "auth-holder-string" payload1
            regsub -all -nocase $hdr_basic_txt $payload1 "WWW-Authenticate: Negotiate" payload2
            regsub -all -nocase "auth-holder-string" $payload2 $hdr_basic_txt payload3
    
            TCP::payload replace 0 [TCP::payload length] ""
            TCP::payload replace 0 0 $payload3
            TCP::release        
        }
        TCP::release
    }
    

User request traffic will pass through the LTM VIP to the APM VIP. This code will look for the "WWW-Authenticate: Basic realm=" string in APM's response payload, collect the realm name from the Basic string, flip the Basic and Negotiate headers, and then replace the payload.

Replace "virtual MY_APM_VS" with the name of your APM virtual server. Give that a shot. ;)

0