Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Fixed In:
13.0.0
Opened: Jun 19, 2014 Severity: 3-Major Related Article:
K16800
When Kerberos authentication is used with request-based authentication (RBA) enabled, the first POST request sent to the BIG-IP system could be replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider (IdP) and the http-post SSO binding is used.
Some functionality may not behave properly; for example, when the BIG-IP system is configured as a SAML IdP and an http-post SSO binding is used, AuthnRequest can get lost and authentication will fail.
The problem occurs under these conditions: 1. RBA is enabled. 2. Kerberos Auth is used. 3. The first request to the BIG-IP system before session has been established is a POST request.
To work around the problem, edit the access policy and, in the properties for the Kerberos Auth item, set Request Based Auth to Disabled.
None