Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Kerberos 401 authentication with form fallback

Hello,

we are using APM for SAML authentication. Domain joined machines should authenticate transparently with Kerberos, users without the ability to use Kerberos (non domain joined, Firefox without negotiate-settings) should receive a form to login.

Kerberos works fine, but users with non domain joined machines receive a browser authentication prompt and "Authentication required to access the resources.".

Does anybody has set up such a scenario? Any help is appreciated.

Image Text

1
Rate this Question
Comments on this Question
Comment made 20-Feb-2016 by Stanislas Piron 6257
Hi, Did the solution provided by Evan and Saravanan solve your issue? I have the same need (kerberos for domain computers, SAML for others) and this is really helpful for all others to know if you got a solution. I tried the solution on my lab successfully but it's better to know if you validate for production users. Stanislas
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I don't immediately see how it's possible to tell if a PC is able to authenticate without asking it via a 401, which produces a browser auth pop-up. Is there anything in the initial HTTP request that you can use to tell this class of clients from the other class of clients?

Well, perhaps you could use Group-Policy IEM tool to modify the User-Agent and show the 401 to only those guys via some simple VPE logic? But they would have to use only IE, unless there is some way to do this with Firefox to a group of PCs.

https://technet.microsoft.com/en-us/library/cc770379.aspx

1
Comments on this Answer
Comment made 15-Jan-2016 by Daniel W. 276
Hi Lucas, thanks for your response. I already thought about changing the User-Agent so that I can check for this header. For the moment, I could live with the 401 prompt, when I can display the auth form after canceling the 401 prompt. But no matter what I do, I receive "Authentication required to access the resources.", when Negotiate is enabled in the 401 agent.
0
Comment made 15-Jan-2016 by Evan Champion 275
One possibility is to combine an IP address check and a client check to say "if the client is internal and running Internet Explorer, then they can probably do Keberos; otherwise, show the web form". For failed 401 returning "Authentication required to access the resources.", I think that must be a bug -- if the 401 fails, it should follow the failure branch to e.g. web form.
0
Comment made 16-Jan-2016 by Evan Champion 275
Sorry, it's not a bug, but is not desirable/expected behaviour either. When APM sends the 401 Unauthorized, the HTTP response content is the error message defined in the APM HTTP 401 Response block. This defaults to "Authentication required to access the resources.". Instead we would want it to return something that caused the client and APM to advance down the fallback path, perhaps like an auto-submit form that caused the fallback path to be executed. I have submitted bug C2012278 to request such an enhancement to the HTTP 401 Response block.
0
Comment made 17-Jan-2016 by Lucas Thompson
It should advance if the client issues a POST to my.policy. A GET May also do it but haven't tested that in this context. Maybe a bit of JavaScript. Let us know the ID number you get from support, it should be 6 digits.
0
Comment made 19-Jan-2016 by Evan Champion 275
Hi Lucas -- my case number is: C2012278.
0
Comment made 24-Jan-2016 by Evan Champion 275
Hi all -- I was able to get a workaround for this from F5 support, which seems to do the right thing. Quoting from the F5 support response: The setup involves checking for the session variable "session.logon.last.authparam". This variable gets set when the client is supporting "Negotiate", it is not set when the client supports "Basic". The necessary steps are listed below: - add "Variable Assign" before "HTTP 401 Response": "session.logon.last.authparam = return {}" (set session variable "session.logon.last.authparam" to blank) - configure "HTTP 401 Response" - "HTTP Auth Level": "negotiate" - "HTTP response message": "<script type="text/javascript"> window.onload = function () {window.location.reload()} </script>" - add "Special_Basic" branch rule: "expr {[mcget {session.logon.last.authparam}] == ""}" (this has to be placed ABOVE the "Negotiate" branch) Now when the client is not supporting Negotiate it goes down the "Special_Basic" branch. I tried it and the result looked to be as expected. If the user is prompted for Kerberos and Kerberos fails then the failure path (designated by the Special_Basic branch) is taken.
2
Comment made 28-Jan-2016 by Saravanan M K
Hi Evan, Alternatively, instead of adding the variable assign and using the Special_Basic branch rule, you can try this: - configure "HTTP 401 Response" - "HTTP Auth Level": "negotiate" - "HTTP response message": <script type="text/javascript"> window.onload = function () {window.location.reload()} </script> - For the "Negotiate" branch change the default expression to: expr { [mcget {session.logon.last.authtype}] == "Negotiate" && [mcget {session.logon.last.authparam}] != "" }
2
Comment made 10-Feb-2017 by Nolan Jensen 65

Just wanted to say thank you Saravanan as your solution worked for me. Also wanted to note that although the workaround posted by Evan did work I was still having a browser login prompt when using IE11 but it worked fine on Chrome.

Thanks

0
Comment made 3 months ago by AN 162

@ Saravanan M K and Evan,

I tried your solutions and it didn't work for me... For Non-Domain computer I am getting login prompt (not login page) and it fails after two attempts. I had message box and found it was failing at kerberos Auth. Why it doesn't fallback on 401 response instead? I am running BIG-IP 12.1.1 Build 2.0.204 Hotfix HF2. Did I miss something ?

Image Text Image TextImage TextImage Text

0
Comment made 3 months ago by Stanislas Piron 6257

Hi,

the last solution provided by Saravanan M K worked for me:

remove the BASIC_STATIC branch and replace Negotiate branch expression to

expr { [mcget {session.logon.last.authtype}] == "Negotiate" && [mcget {session.logon.last.authparam}] != "" }
0
Comment made 2 months ago by AN 162

Hi Stanislas,

I've also tried Saravanan M K's solution. I found it still goes to Kerberos Auth and doesn't fallback to 401 responses. Following what I have: Image Text

Image TextImage TextImage Text

0
Comment made 2 months ago by AN 162

I also tried removing basic and leaving Negotiate in 401 branch rule but still same issue. Thanks.

0
Comment made 2 months ago by AN 162

Further to my investigation with debug I found following line:

bigip debug apmd[16352]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 2564 Msg: Converted Var: session.logon.last.authparam to Session Var tmm.session.fa70bd95.session.logon.last.authparam

It assigned variable to session.logon.last.authparam when I am trying to access URL from outside with session variable as shown above.. so there is no way branch rule in 401 HTTP response will fallback... because session.logon.last.authparam}] != "" will always have variable and it will go to kerberos Auth.

0
Comment made 2 months ago by AN 162

@ Alexandre Allaire @ Nolan Jensen @ Lucas Thompson @ Stanislas Piron @ Saravanan M K

Ppl who confirmed solution is working.. Can I get some help? what did they do that is different than what I have in my above configuration ?

0
Comment made 1 month ago by Chris Wentland 328

Hey AN, are you still having issues with this functionality? I am working on an issue right now where IE and Chrome WERE functional, but have stopped working. What we've noticed is that the authorization window is still presented, but we can just cancel it, and authentication is successful. It may be related to a Microsoft bug MS16-119. Can you attempt to cancel the login and see if that works?

Thanks!

Chris Wentland

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The solution works but I still have Firefox prompting for credential first. If I cancel it switch back to Kerberos. Any way to force Firefox to use Kerberos prior to basic auth ?

0
Comments on this Answer
Comment made 03-Mar-2017 by Nolan Jensen 65

Alexandre,

In order to have this work on firefox I had to go to about:config > search for network.negotiate-auth.trusted-uris and add the site you are trying to access. This resolved any prompts I had on firefox.

0