Bug ID 788417: Remote Desktop client on macOS may show resource auth token on credentials prompt

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 15.0.0, 15.0.1

Fixed In:
15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2

Opened: May 30, 2019

Severity: 3-Major

Symptoms

APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field. This behavior is observed only with Remote Desktop Client v10.x for macOS.

Impact

Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Conditions

-- APM Webtop is configured with Single Sign-on enabled native RDP resource. -- Try to access the RDP resource from macOS using RDP client v10.x. Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Workaround

Apply the following iRule: Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources. when HTTP_RESPONSE_RELEASE { catch { set locationUri [HTTP::header Location] if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" && $locationUri contains "username=s:f5_apm"} { HTTP::header Location \ [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri] } } }

Fix Information

Remote Desktop client on macOS does not show resource auth token on credentials prompt.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips