Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 15.0.0, 15.0.1
Fixed In:
15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2
Opened: May 30, 2019 Severity: 3-Major
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field. This behavior is observed only with Remote Desktop Client v10.x for macOS.
Prompt for credentials (contains auth token in username field) causing APM end user confusion.
-- APM Webtop is configured with Single Sign-on enabled native RDP resource. -- Try to access the RDP resource from macOS using RDP client v10.x. Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.
Apply the following iRule: Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources. when HTTP_RESPONSE_RELEASE { catch { set locationUri [HTTP::header Location] if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" && $locationUri contains "username=s:f5_apm"} { HTTP::header Location \ [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri] } } }
Remote Desktop client on macOS does not show resource auth token on credentials prompt.