Forum Discussion

f5learn_164388's avatar
f5learn_164388
Icon for Nimbostratus rankNimbostratus
May 03, 2016

kerberos seamless login issue

Hello,

 

We are trying to get seamless login working for the laptop users in our environment. Here is the policy we have currently which seems to be working with following issues.

 

1) If we clear IE browser cache and try to access the Virtual server the login is seamless, though it takes a while before the webtop shows up to access a resource. Not sure where the delay is? We can see the Kerberos ticket being sent in fiddler and such.

 

2) After the initial login if we try to open access the Virtual server again, now we are getting a authentication dialog. Checking in fiddler we see that the Kerberos ticket is sent but it looks like the APM ignores it and sends a 401 again.

 

Could anyone give us some directions on what to look for if you can came across this situation.

 

Thanks, Ski

 

 

11 Replies

  • APM retain the kerberos ticket that you already played and fallback to a 401 prompt as it doesn't allow to replay the same kerberos token multiple times. You have to clear your Authentication cache on the Browser side. We workaround this behavior by injecting a javascript code within the response to the client. Here is an example of javascript function that work : void(document.execCommand('ClearAuthenticationCache').

     

    The issue is that Internet Explorer send the same kerberos token every time until you close your browser or remove the cache. And APM doesn't support it...

     

    • f5learn_164388's avatar
      f5learn_164388
      Icon for Nimbostratus rankNimbostratus
      Thanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/questions/kerberos-and-ntlm-authentication-using-apm https://devcentral.f5.com/questions/kerberos-caching-option Thanks, ski
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Don't try in 12.0.0, but I can confirm that this issue still exists in 11.6.0. Moreover, the workaround provided clear the credential caching only. But works for IE only :( For your information, we get this issue when the user authenticate using Kerberos, then logout and re-login fail because the same kerberos token is played on the client side and rejected by APM. If you trigger a different scenario, have a look at the Request Based Auth feature on the kerberos AAA object
    • f5learn_164388's avatar
      f5learn_164388
      Icon for Nimbostratus rankNimbostratus
      Thanks, Yann for the comment. Yes, we faced the re-login failure issue as you mentioned. Will take a look at Request based Auth. The suggestion below from Michael is addressing this.
  • APM retain the kerberos ticket that you already played and fallback to a 401 prompt as it doesn't allow to replay the same kerberos token multiple times. You have to clear your Authentication cache on the Browser side. We workaround this behavior by injecting a javascript code within the response to the client. Here is an example of javascript function that work : void(document.execCommand('ClearAuthenticationCache').

     

    The issue is that Internet Explorer send the same kerberos token every time until you close your browser or remove the cache. And APM doesn't support it...

     

    • f5learn_164388's avatar
      f5learn_164388
      Icon for Nimbostratus rankNimbostratus
      Thanks, Yann for answering this post. We will take a look at this workaround. The only concern is it clears the cache for everything. Also, going through the links below it looks like there is success for Kerberos seamless. I am little surprised that all these have to deal with the workaround. Or is APM accepting same token a bug that has been fixed in later versions. Currently we are on 11.5.1. Any insight is appreciated. https://devcentral.f5.com/s/feed/0D51T00006i7R5xSAE https://devcentral.f5.com/s/feed/0D51T00006j3kPlSAI Thanks, ski
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Don't try in 12.0.0, but I can confirm that this issue still exists in 11.6.0. Moreover, the workaround provided clear the credential caching only. But works for IE only :( For your information, we get this issue when the user authenticate using Kerberos, then logout and re-login fail because the same kerberos token is played on the client side and rejected by APM. If you trigger a different scenario, have a look at the Request Based Auth feature on the kerberos AAA object
    • f5learn_164388's avatar
      f5learn_164388
      Icon for Nimbostratus rankNimbostratus
      Thanks, Yann for the comment. Yes, we faced the re-login failure issue as you mentioned. Will take a look at Request based Auth. The suggestion below from Michael is addressing this.
  • Michael, i think we got past the pop up thing. Its strange that once the reverse DNS lookup entry was added it took care of the delay and also the popup. Now we are seeing something different. Most of the times the seamless thing is working but once in a while we get a page cannot be displayed. We put some message boxes in place and see that the below highlighted path is taken and it just fails with a "page cannot be displyed" message in the browser. When we took the packet captures we see that there is a ack,rst from server and nothing happens. On the apm logs we see that "session is deleted due to user inactivity". Is there something else we are missing?

     

    • Michael__'s avatar
      Michael__
      Icon for Nimbostratus rankNimbostratus
      Hi, the PTR entry for the SPN is mandatory or at least a host entry (on the APM) to get the Kerberos auth with the F5 working About the RST Could you set the Access Policy Logging to Debug (System ›› Logs : Configuration : Options) and check the log output (/var/log/apm) for a reason ?!
  • Thanks, Michael. Please find the screenshot below which has the last few lines from debug logs for successful vs failed logins.