Forum Discussion

Gilles_from_Lux's avatar
Gilles_from_Lux
Icon for Nimbostratus rankNimbostratus
Aug 11, 2016

Activesync APM Client Certificate authentication - Basic authentication password prompts

Hi,

 

we are trying to implement a new MDM solution.

 

We configured Kerberos Constraint Delegation on F5 APM module and use the client certificate to extract from "UPN" the username and domain information. This seems to work quite well except that we get from time to time a "Basic authentication" password prompt on iOS devices. It is not important what the user enters, some random characters and Kerberos authentication begins to work.

 

I searched a lot on DevCentral and Google, but did not find any precise answer how to remove this password prompt.

 

All the resources say that you should remove any "401 response headers" in the iRule "_sys_APM_activesync". If I do that, no mail is coming in and I think because there is no more authentication done in the APM module. Same behaviour if using iRule "_sys_APM_ExchangeSupport_OA_BasicAuth". I tried even using the "iApp Exchange 2013", but even after only publishing ActiveSync and modifying in the VPE to accept client certificates was not successful.

 

I found this resource on DevCentral but no indication about how to implement the iRule to remove the password prompt. https://devcentral.f5.com/questions/issue-with-apm-activesync-cert-auth

 

Here is what is configured:

 

LTM:

 

  • Standard VirtualServer with attached "_sys_APM_activesync" iRule
  • Client SSL Profile with enabled ==> "Client authentication ==> Require"
  • APM Profile attached ==> description below

APM Profile:

 

  • Result from SSL Client profile in "Client inspection"
  • Extract "username & domain" information from UPN using 3 TCL expressions
  • SSO Credential Mapping
  • Attach SSO Kerberos Configuration to get Kerberos tickets from DC

Could someone help me to sort out this problem with the password prompt?

 

Kind regards,

 

Gilles

 

14 Replies

  • Does nobody has an idea how to resolve the problem or any hints how to start?

     

    Kind regards,

     

    Gilles

     

  • the person in the other question just mentions he removed the sending of the 401 part in any attached iRules. you tried that i believe but it doesn't work. can you post your modified irule(s)?

     

  • Hi, thanks for your reply.

    I tried multiple modifications the last days, but nothing worked as expected.

    Here is the iRule I modified. It is the default _sys_APM_activesync. I commented the whole "Only Basic authentication" out, but I'm not sure if it is ok. The part about "append user_key $apm_username". I deleted the "$user_hash" part.

    About the general working of client cert auth ==> F5 APM ==> Kerberos SSO, I have problems to understand why Kerberos is working, but the iOS device does however gets from time to time "401 response". Kerberos Token exists and I can enter random characters, mails sync as expected even with wrong password. So Kerberos needs to work correctely. APM log is not so verbose any more in "Debug" mode in 12.1 as I saw on articles on the net from older versions. I set SSO log to Debug, but no information if Kerberos ticket has been received or not.

    Here is the modified iRule:

    when RULE_INIT {
        set static::actsync_401_http_body   "Authentication FailedError: Authentication Failure"
        set static::actsync_503_http_body   "Service is not availableError: Service is not available"
        set static::ACCESS_LOG_PREFIX       "01490000:7:"
    }
    when HTTP_REQUEST {
        set http_path                       [string tolower [HTTP::path]]
        set f_clientless_mode               0
    
        if { $http_path == "/microsoft-server-activesync" } {
        }
        elseif { $http_path == "/autodiscover/autodiscover.xml" } {
            set f_auto_discover 1
        }
        else return
    
        if { ! [ info exists src_ip ] } {
            set src_ip                            [IP::remote_addr]
        }
        if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } {
            set PROFILE_RESTRICT_SINGLE_IP        1
        }
         Only allow HTTP Basic Authentication.
        set auth_info_b64enc                ""
        set http_hdr_auth                   [HTTP::header Authorization]
        regexp -nocase {Basic (.*)} $http_hdr_auth match auth_info_b64enc
        if { $auth_info_b64enc == "" } {
            set http_hdr_auth ""
        }
    
        if { $http_hdr_auth == "" } {
            log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX Empty/invalid HTTP Basic Authorization header"
            HTTP::respond 401 content $static::actsync_401_http_body Connection close
            return
        }
    
        set MRHSession_cookie               [HTTP::cookie value MRHSession]
         Do we have valid MRHSession cookie.
        if { $MRHSession_cookie != "" } {
            if { [ACCESS::session exists -state_allow -sid $MRHSession_cookie] } {
                log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie"
                 Default profile access setting is false
                if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {
                    return
                }
                elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie "session.user.clientip" ] ] } {
                    log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX source IP matched"
                    return
                }
                else {
                    log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX source IP does not matched"
                }
            }
            else {
                log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie"
            }
            set MRHSession_cookie ""
            HTTP::cookie remove MRHSession
        }
    
        set apm_username                    [ string tolower [HTTP::username] ]
        set apm_password                    [HTTP::password]
    
        if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {
            binary scan [md5 "$apm_password$"] H* user_hash
        } else {
            binary scan [md5 "$apm_password$src_ip"] H* user_hash
        }
        set user_key {}
        append user_key $apm_username "." $user_hash
        append user_key $apm_username
        unset user_hash
    
        set f_insert_clientless_mode    0
        set apm_cookie_list             [ ACCESS::user getsid $user_key ]
        if { [ llength $apm_cookie_list ] != 0 } {
            set apm_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ]
            if { $apm_cookie != "" } {
                HTTP::cookie insert name MRHSession value $apm_cookie
            } else {
                set f_insert_clientless_mode 1
            }
        } else {
            set f_insert_clientless_mode 1
        }
    
        if { $f_insert_clientless_mode == 1 } {
            HTTP::header insert "clientless-mode" 1
            HTTP::header insert "username" $apm_username
            HTTP::header insert "password" $apm_password
        }
        unset f_insert_clientless_mode
    }
    when ACCESS_SESSION_STARTED {
        if { [ info exists user_key ] } {
            ACCESS::session data set "session.user.uuid" $user_key
            ACCESS::session data set "session.user.microsoft-exchange-client" 1
            ACCESS::session data set "session.user.activesync" 1
            if { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {
                set f_auto_discover 0
                ACCESS::session data set "session.user.microsoft-autodiscover" 1
            }
        }
    }
    when ACCESS_POLICY_COMPLETED {
        if { ! [ info exists user_key ] } {
            return
        }
    
        set policy_result [ACCESS::policy result]
        switch $policy_result {
        "allow" {
        }
        "deny" {
            ACCESS::respond 401 content $static::actsync_401_http_body Connection close
            ACCESS::session remove
        }
        default {
            ACCESS::respond 503 content $static::actsync_503_http_body Connection close
            ACCESS::session remove
        }
        }
    
        unset user_key
    }
    

    What is also strange is the speed of connecting to F5 when synchronizing mails but this can be because of the F5 lab license. It looks like iOS device is taking a long time to connect or some requests that are not validated correctely. I will try on out PROD environment as soon as I do not get any password prompts.

    I also put the apm log /debug mode about Kerberos authentication.

    Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0044:7: /Common/Profile_APM_Airwatch:Common:cc692397: metadata len 397
    Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0044:7: /Common/Profile_APM_Airwatch:Common:cc692397: metadata len 397
    Aug 13 23:05:43 labo-bigip-n1 info websso.3[4819]: 014d0011:6: /Common/Profile_APM_Airwatch:Common:cc692397: Websso Kerberos authentication for user 'user1' using config '/Common/Kerberos_Domain'
    Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0046:7: /Common/Profile_APM_Airwatch:Common:cc692397: adding item to WorkQueue
    Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0018:7: /Common/Profile_APM_Airwatch:Common:cc692397: ctx:0x8d896a0 server address = ::ffff:10.10.10.10
    Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0021:7: /Common/Profile_APM_Airwatch:Common:cc692397: ctx:0x8d896a0 SPN = HTTP/exch2013-3.example.com@EXAMPLE.COM
    Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0023:7: S4U ======> /Common/Profile_APM_Airwatch:Common:cc692397: ctx: 0x8d896a0, user: user1@EXAMPLE.COM, SPN: HTTP/exch2013-3.example.com@EXAMPLE.COM
    

    I hope this explains a little which problem I'm facing.

    Kind regards,

    Gilles

  • Hi,

     

    the modified iRule did not work. I still receive regularly 401 password prompts? Do you have an idea why these changes occur? When I disable all 401 requests, it seems to me that cert auth does not work either?

     

    Kind regards,

     

    Gilles

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      cert auth shouldn't need 401, cert auth works differently, the client just always sends the cert. 401 is meant for HTTP auth in some form.

       

      can you see if the 401 comes from your irule or from another one, the other question suggested multiple irules were involved.

       

    • Gilles_from_Lux's avatar
      Gilles_from_Lux
      Icon for Nimbostratus rankNimbostratus

      Yes, I'm aware of this. I finally found a way to remove the password prompts. I was related to the "OPTIONS" calls from the device where my iOS device seems to hang around.

       

      I added as suggested in the post from "R Marc" (https://devcentral.f5.com/s/feed/0D51T00006i7aPXSAY) a static "OPTIONS" response from F5 to Exchange. This seems to have solved the problem. It is now 4 hours ago that I did the modifications in the iRule and I got no "Password Prompts" since then. So it looks ok.

       

      The only concern I still have is that the "PUSH" of new mails does not look like it is working when the iPhone is locked. I'm not understanding still why the "PUSH" of new mails does not work.

       

      But the problem of the "Password Prompt" is maybe solved.

       

      Kind regards,

       

      Gilles

       

    • Ali_Khan's avatar
      Ali_Khan
      Icon for Nimbostratus rankNimbostratus

      Hi Gilles, We are in a similar situation with a client. What did you do to add static OPTIONS response? Did you amend the _sys_APM_activesync ? Can you please help explaining how you configured the OPTIONS response? Regards, Ali

       

  • Nath's avatar
    Nath
    Icon for Cirrostratus rankCirrostratus

    Gilles hi,

     

    What kind of MDM are you using? Meaning Vendor.

     

    Thanks

     

    -Nat

     

  • Hi Nat,

     

    we would like to use Airwatch. Airwatch configuration is used to send policy to iOS devices with Client Certificate authentication enabled.

     

    Kind regards,

     

    Gilles

     

  • Hi Gilles,

     

    Have you been able to resolve the password prompt issues with the above modifications to the iRule?

     

    Did you try to use the Exchange 2013 iApp and get it to work with the Exchange Profile that the iApp creates. I have a similar problem and based on some reading it looks like the _sys_APM_activesync iRule is kept for backward compatibility, but is no longer recommended. The F5 recommended way to go for ActiveSync and other Exchange services (e.i. OWA, AutoDiscover, etc) is to attach an exchange profile to the Access Policy. Exchange profile is configured under Access Policy -> Application Access -> Microsoft Exchange. When doing it this way however I am forced to configure a password on the AirWatch ActiveSync profile that is deployed to iOS devices. If no pwd is entered in the profile users get prompted.4

     

    Thanks

     

    • The-messenger's avatar
      The-messenger
      Icon for Cirrostratus rankCirrostratus

      Bump on this. Have you, anyone else, been able to resolve. I'm also working on client cert auth for ActiveSync, getting the certificate from AD, via AirWatch. I haven't read clear information on how to edit the activesync irule for this.

       

      Don't you need clientlessmode set to 1?