Bug ID 479287: Using Kerberos Authentication with an SWG explicit/transparent proxy configuration results in an authentication failure

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Opened: Sep 15, 2014
Severity: 3-Major

Symptoms

When using an HTTP 407 Response or HTTP 401 Response agent in an access policy for SWG-Explicit or SWG-Transparent profile type respectively, without additional configuration, Kerberos authentication attempts always fail. The session variable "session.server.network.name" seems to be set to the actual website to which the client is trying to connect instead of to the proxy URL (virtual server proxy domain name). This results in GSS-API errors when getting credential information for Kerberos authentication.

Impact

Users cannot authenticate to the SWG-Explicit or the SWG-Transparent proxy if attempting to use Kerberos authentication.

Conditions

The access policy (with access profile type SWG+Explicit or SWG+Transparent) includes HTTP 407 Response (for SWG+Expliceit) or HTTP 401 Response (for SWG+Transparent) and Kerberos Auth actions and an Allow ending. (For APM versions earlier than 11.6.0, the access policy would include an SWG Scheme action before the ending.)

Workaround

To work around the problem, add a Variable Assign agent to the access policy after the HTTP 407 Response (or HTTP 401 Response) action. Add a Variable Assign entry as follows. Type this custom variable in the left pane: session.server.network.name and, in the right pane, select Text and type the appropriate domain name.

Fix Information

None

Behavior Change