I am stuck getting transparent Kerberos authentication to work with my F5 APM-based SAML IdP. The user's first access to the IdP is successfully transparently authenticated. Following session expiry however, when the user is redirected back to the IdP to login again, they are prompted for credentials. Has anyone managed to get Kerberos to work nicely with the APM SAML IdP? I am using version 12.0. I have worked out why the prompt happens; on the first authentication the client is sent 401 Unauthorized and then from that point onwards sends Authorized headers. After session expiry, the user is redirected back through the IdP and is sent 401 Unauthorized again. This causes Internet Explorer to prompt the user for credentials. As best as I can determine... there is no way in the HTTP standard to tell a client that has started sending Authorized headers to stop.the IE ClearAuthenticationCache command makes IE stop sending Authorized headers and resolves the issue with Kerberos authentication, but it also clears the session cookies for the SP, and all the users other cookies too, so this is not a solution.there does not seem to be a way to make the F5 use the Authorized header that the client already provided.the HTTP 401 Response block seems to be required. I tried working around it (by checking if the session started with Authorization and if so branching directly to a Kerberos Authentication block without a HTTP 401 Response block) and received an error "USession::scheduleExecLastAgent() - can not found the agent".I tried a few different ways to "hack" the response without success. I would really appreciate any assistance to get this working. Thank you, Evan

I think I may have found an issue ID for this in the APM 12.0 release notes. The ID is: 461084. When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header PRIOR to the "HTTP 401" challenge, authentication fails. An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured. Auth can fail and the client might see a login prompt again when the IP address changes. Unfortunately there is no workaround recommended. :-(

Hi Evan, I did investigate this a bit, and there does not appear to be a viable workaround, unfortunately, as you noted. Can I ask you to please open a support case with F5 and ask for it to be linked to that BZ as a request to fix it? Meanwhile, I am pursuing the urgency of this internally, and will post more details as we find out when exactly the issue will be addressed.

This BugID can be found only in RN of 11.5.3 and 12.0. Do you know what's about 11.6?

Evan_Champion_1

Cirrus

Jan 04, 2016

Kerberos and APM-based SAML IdP

I am stuck getting transparent Kerberos authentication to work with my F5 APM-based SAML IdP. The user's first access to the IdP is successfully transparently authenticated. Following session expiry however, when the user is redirected back to the IdP to login again, they are prompted for credentials.

Has anyone managed to get Kerberos to work nicely with the APM SAML IdP? I am using version 12.0.

I have worked out why the prompt happens; on the first authentication the client is sent 401 Unauthorized and then from that point onwards sends Authorized headers. After session expiry, the user is redirected back through the IdP and is sent 401 Unauthorized again. This causes Internet Explorer to prompt the user for credentials.

As best as I can determine...

there is no way in the HTTP standard to tell a client that has started sending Authorized headers to stop.
the IE ClearAuthenticationCache command makes IE stop sending Authorized headers and resolves the issue with Kerberos authentication, but it also clears the session cookies for the SP, and all the users other cookies too, so this is not a solution.
there does not seem to be a way to make the F5 use the Authorized header that the client already provided.
the HTTP 401 Response block seems to be required. I tried working around it (by checking if the session started with Authorization and if so branching directly to a Kerberos Authentication block without a HTTP 401 Response block) and received an error "USession::scheduleExecLastAgent() - can not found the agent".
I tried a few different ways to "hack" the response without success.

I would really appreciate any assistance to get this working.

Thank you,

Evan

APM

saml

security

18 Replies

Evan_Champion_1
Cirrus
Jan 04, 2016
I think I may have found an issue ID for this in the APM 12.0 release notes. The ID is: 461084. When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header PRIOR to the "HTTP 401" challenge, authentication fails. An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured. Auth can fail and the client might see a login prompt again when the IP address changes. Unfortunately there is no workaround recommended. :-(
Michael_Koyfma1
Cirrus
Jan 04, 2016
Hi Evan,

I did investigate this a bit, and there does not appear to be a viable workaround, unfortunately, as you noted. Can I ask you to please open a support case with F5 and ask for it to be linked to that BZ as a request to fix it? Meanwhile, I am pursuing the urgency of this internally, and will post more details as we find out when exactly the issue will be addressed.
- amolari
  Cirrus
  Jan 04, 2016
  This BugID can be found only in RN of 11.5.3 and 12.0. Do you know what's about 11.6?
- Evan_Champion_1
  Cirrus
  Jan 04, 2016
  Thanks Michael -- yes, I will open a support case. This is a big problem for us not only for deployment of the planned SAML single sign-on service, but also for two other projects in-train using APM to provide Kerberos login to applications that don't support Kerberos. I would very much appreciate anything you can do internally to get the issue prioritised, while I try through the technical support team. I would be very happy to help test the fix.
- Oz_201205
  Nimbostratus
  Mar 29, 2016
  @Evan & Mike; Google chrome for business does not seem to be having this issue and re-auth is transparent to the user. So this sounds to be only affecting IE... Have you experienced the same? what could be the reason for this disparity on end user's client? Also, i am wondering if the call to support resulted in an irule or an engineering HF and if it did address this issue or no? Thanks for sharing your feedback
Michael_Koyfman
Cirrocumulus
Jan 04, 2016
Hi Evan,

I did investigate this a bit, and there does not appear to be a viable workaround, unfortunately, as you noted. Can I ask you to please open a support case with F5 and ask for it to be linked to that BZ as a request to fix it? Meanwhile, I am pursuing the urgency of this internally, and will post more details as we find out when exactly the issue will be addressed.
- amolari
  Cirrus
  Jan 04, 2016
  This BugID can be found only in RN of 11.5.3 and 12.0. Do you know what's about 11.6?
- Evan_Champion_1
  Cirrus
  Jan 04, 2016
  Thanks Michael -- yes, I will open a support case. This is a big problem for us not only for deployment of the planned SAML single sign-on service, but also for two other projects in-train using APM to provide Kerberos login to applications that don't support Kerberos. I would very much appreciate anything you can do internally to get the issue prioritised, while I try through the technical support team. I would be very happy to help test the fix.
- Oz_201205
  Nimbostratus
  Mar 29, 2016
  @Evan & Mike; Google chrome for business does not seem to be having this issue and re-auth is transparent to the user. So this sounds to be only affecting IE... Have you experienced the same? what could be the reason for this disparity on end user's client? Also, i am wondering if the call to support resulted in an irule or an engineering HF and if it did address this issue or no? Thanks for sharing your feedback
Michael_Koyfma1
Cirrus
Jan 04, 2016
It's applicable to 11.6 as well
Evan_Champion_1
Cirrus
Sep 13, 2016
Most of my APM issues were resolved by upgrading to 12.1.0. I would recommend 12.1.1 for new users of APM SAML as it fixes at least one other issue.
- Sergi_Munyoz_24
  Nimbostratus
  Mar 27, 2017
  Hi Evan and company. Which issues did you get fixed ?
  
  Don't know if is exactly the same, but I'm trying to setup kerberos with SAML (with sso portal as per doc). Kerberos sso to webtop and IDP-initiated connections from here work as expected But when I try SP-initiated connections without webtop I got a collection of popups asking for auth, hangs in https://idp.xxx.com/saml/idp/profile/redirectorpost/sso/...
  
  Is possible to get this to work ?
- kunjan
  Nimbostratus
  Mar 27, 2017
  Is the BigIP as IdP and SP at the same time? And as IdP you are using KerberosAuth?
- Sergi_Munyoz_24
  Nimbostratus
  Mar 27, 2017
  Yes both, I did follow: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.htmlconceptid
  
  Now I want to use kerberos for AD users on internal network instead of logon form
  
  If users reach webtop they are not prompted for auth, kerberos works fine. And they can launch IdP-initiated saml resources But if user goes to login.microsoftonline.com f.ex. and gets redirected to idp.xxx.com gets a prompt for auth. In other SP-initiated prompt does not appear but browser gots hung in redirectorpost url A simple apache frontend html doc with shibboleth SP works