Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.3.0, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF4, 11.5.4 HF2, 11.4.1 HF9
Opened: Jul 28, 2014 Severity: 3-Major Related Article:
K71224903
Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
Error occurs with no error message. The system should post an error message similar to the following: (Failure VIP Name): Kerberos Request-Based Auth failed because session was initially created on a different VIP (Original VIP Name). Please either disable RBA on the originating access profile, or remove the domain cookie.
APM access policy is configured with Kerberos authentication and the attempted authentication session was was initially created on a different VIP.
Either disable RBA on the originating access profile, or remove the domain cookie.
With the fix, APMD correctly handles the request for Kerberos Request-Based Auth, and posts the proper error message.