Username in APM Reports - VIP using Kerberos SSO

i believe i have the same issue (also 11.6 HF5). to be sure with Kerberos SSO you mean that you HTTP 401 response + Kerberos Auth in the Access Policy so users authenticate on the client side of APM with their Kerberos ticket? there was an earlier question you also answered in but there hints were made to custom reports, only there is no other login field or such to choose. im wonderif if it isn't possible because only after the Kerberos Auth VPE the system becomes aware of an actual user. the system never shows a clear username 'name' like it does with other logon methods. makes me wonder if you do see a username when you do client cert auth for example.

Yes @boneyard, that is exactly a HTTP401 + Kerberos Auth. The thing is reports in APM probably do not get the username from the standard session variables (session.logon.last.username and logonname). Asked F5, and the workaround they provided me did the trick. I added a logging event box at the end of the VPE, configured to log session.logon.last.username for instance, then using custom reports, checked the session variable value to be displayed. This worked, but that would be cool to have something more consistent. Asked F5, and the workaround they provided me did the trick. I added a logging event box at the end of the VPE, configured to log session.logon.last.username for instance, then using custom reports, checked the session variable value to be displayed. This worked, but that would be cool to have something more consistent.

it seems to be somehow a regression bug. I had in older 11 releases the same issue for users login with client certificates (username was being extracted from the certificate). At some point it was fixed.

yeah it is odd and feel buggy, i just noticed that in active sessions it does show the correct username ... btw F5Maniac you can post your workaround as answer and flag it i would say.

hey, i got it working now, it seems related to either stripping of the @domain part or doing an ad query, got to look into it further but i at least have in the normal report the actual username showing up.

Thx Boneyard, If you have any hint of what made it working for you, please feel free to share, I would be really interested to understand what is happening.

ok, i think i got a fix / workaround, it is rather silly but give it a go.

 

after the the Kerberos Auth VPE add a variable assign VPE

 

in the VPE you do: Custom Variable Unsecure session.logon.last.username = Session Variable session.logon.last.username

 

for me this works 100%, like mentioned before it feels like a bug, and if this also works for you then im quite sure it is.

 

You are the man, this workaround works perfectly ! You did my day :)

 

Thanks, Pascal / F5Maniac