Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Opened: Jan 29, 2016
Severity: 4-Minor
Checking Authorization Header in HTTP 401 Response Agent branch rule. Authentication fails with default fallback branch not followed.
Authentication fails.
The Authorization header is not sent by the client when HTTP 401 Response Agent sends 'WWW-Authenticate: Negotiate' header.
Modify the default branch rule in HTTP 401 Response Agent. The current successful branch rule is checking 'authtype' to be 'negotiate', which is a correct check for whether 'negotiate' has been tried. Because HTTP 401 Response Agent stores the Authorization header in a session variable called 'authparam', to check whether an Authorization header has been present, the branch rule should be modified as shown in the following example: expr { [mcget {session.logon.last.authparam}] != "" }
None
