Bug ID 473344: Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4, 11.5.4 HF2, 11.4.1 HF9

Opened: Jul 28, 2014
Severity: 3-Major
Related Article:
K71224903

Symptoms

Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Impact

Error occurs with no error message. The system should post an error message similar to the following: (Failure VIP Name): Kerberos Request-Based Auth failed because session was initially created on a different VIP (Original VIP Name). Please either disable RBA on the originating access profile, or remove the domain cookie.

Conditions

APM access policy is configured with Kerberos authentication and the attempted authentication session was was initially created on a different VIP.

Workaround

Either disable RBA on the originating access profile, or remove the domain cookie.

Fix Information

With the fix, APMD correctly handles the request for Kerberos Request-Based Auth, and posts the proper error message.

Behavior Change