Bug ID 570753: Checking Authorization Header in HTTP 401 Response Agent branch rule

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Opened: Jan 29, 2016
Severity: 4-Minor

Symptoms

Checking Authorization Header in HTTP 401 Response Agent branch rule. Authentication fails with default fallback branch not followed.

Impact

Authentication fails.

Conditions

The Authorization header is not sent by the client when HTTP 401 Response Agent sends 'WWW-Authenticate: Negotiate' header.

Workaround

Modify the default branch rule in HTTP 401 Response Agent. The current successful branch rule is checking 'authtype' to be 'negotiate', which is a correct check for whether 'negotiate' has been tried. Because HTTP 401 Response Agent stores the Authorization header in a session variable called 'authparam', to check whether an Authorization header has been present, the branch rule should be modified as shown in the following example: expr { [mcget {session.logon.last.authparam}] != "" }

Fix Information

None

Behavior Change