Forum Discussion

RobertJuric's avatar
RobertJuric
Icon for Nimbostratus rankNimbostratus
Jun 18, 2020

HTTP::Cookie iRule Empty after Access Policy

I have a virtual server with an access policy for Kerberos authentication. After Kerberos authenticates, we perform an AD query and then insert a cookie with an AD attribute for the back-end server.

We recently needed to add a fail-back authentication method, so if Kerberos fails we show a login page with RSA authentication. All of that works, but when the cookie is created after a successful RSA authentication the variable in the cookie is empty. The cookie is created, but is always empty unless Kerberos is successful.

when HTTP_RESPONSE {
   log local0. "HTTP RESPONSE"
   HTTP::cookie insert name "REMOTE_USER" value "[ACCESS::session data get "session.ad./Common/testapp_act_active_directory_query_ag.attr.sAMAccountName"]" path "/"
}

3 Replies

  • i assume because the Kerberos authentication does AD query for you.

     

    if you add the AD query VPE after the RSA authentication you should be fine.

  • I already have an AD query after the authentication methods, as I wasn't aware the Kerberos did an AD query.

     

    When testing the RSA authentication, the session log shows all the AD attributes, but it isn't added to the cookie. I wasn't sure if they possibly had different names or if the HTTP_RESPONSE event was happening before the AD query.

  • ah, didnt know there was an AD query already, disregard my remark on Kerberos auth doing that then, assumption on my part.

     

    so the AD query does have the username to work with when doing just RSA auth? you say you see all attributes, and sAMAccountName is on the same variable like shown above? the /Common/ in there looks strange to me, but i havent seen everything of course.

     

    have you tried logging the value in the iRule to see if it is just not there or something else?