Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Opened: Sep 15, 2014 Severity: 3-Major
When using an HTTP 407 Response or HTTP 401 Response agent in an access policy for SWG-Explicit or SWG-Transparent profile type respectively, without additional configuration, Kerberos authentication attempts always fail. The session variable "session.server.network.name" seems to be set to the actual website to which the client is trying to connect instead of to the proxy URL (virtual server proxy domain name). This results in GSS-API errors when getting credential information for Kerberos authentication.
Users cannot authenticate to the SWG-Explicit or the SWG-Transparent proxy if attempting to use Kerberos authentication.
The access policy (with access profile type SWG+Explicit or SWG+Transparent) includes HTTP 407 Response (for SWG+Expliceit) or HTTP 401 Response (for SWG+Transparent) and Kerberos Auth actions and an Allow ending. (For APM versions earlier than 11.6.0, the access policy would include an SWG Scheme action before the ending.)
To work around the problem, add a Variable Assign agent to the access policy after the HTTP 407 Response (or HTTP 401 Response) action. Add a Variable Assign entry as follows. Type this custom variable in the left pane: session.server.network.name and, in the right pane, select Text and type the appropriate domain name.
None