Hi,
thanks for your reply.
I tried multiple modifications the last days, but nothing worked as expected.
Here is the iRule I modified. It is the default _sys_APM_activesync. I commented the whole "Only Basic authentication" out, but I'm not sure if it is ok. The part about "append user_key $apm_username". I deleted the "$user_hash" part.
About the general working of client cert auth ==> F5 APM ==> Kerberos SSO, I have problems to understand why Kerberos is working, but the iOS device does however gets from time to time "401 response". Kerberos Token exists and I can enter random characters, mails sync as expected even with wrong password. So Kerberos needs to work correctely. APM log is not so verbose any more in "Debug" mode in 12.1 as I saw on articles on the net from older versions. I set SSO log to Debug, but no information if Kerberos ticket has been received or not.
Here is the modified iRule:
when RULE_INIT {
set static::actsync_401_http_body "Authentication FailedError: Authentication Failure"
set static::actsync_503_http_body "Service is not availableError: Service is not available"
set static::ACCESS_LOG_PREFIX "01490000:7:"
}
when HTTP_REQUEST {
set http_path [string tolower [HTTP::path]]
set f_clientless_mode 0
if { $http_path == "/microsoft-server-activesync" } {
}
elseif { $http_path == "/autodiscover/autodiscover.xml" } {
set f_auto_discover 1
}
else return
if { ! [ info exists src_ip ] } {
set src_ip [IP::remote_addr]
}
if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } {
set PROFILE_RESTRICT_SINGLE_IP 1
}
Only allow HTTP Basic Authentication.
set auth_info_b64enc ""
set http_hdr_auth [HTTP::header Authorization]
regexp -nocase {Basic (.*)} $http_hdr_auth match auth_info_b64enc
if { $auth_info_b64enc == "" } {
set http_hdr_auth ""
}
if { $http_hdr_auth == "" } {
log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX Empty/invalid HTTP Basic Authorization header"
HTTP::respond 401 content $static::actsync_401_http_body Connection close
return
}
set MRHSession_cookie [HTTP::cookie value MRHSession]
Do we have valid MRHSession cookie.
if { $MRHSession_cookie != "" } {
if { [ACCESS::session exists -state_allow -sid $MRHSession_cookie] } {
log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie"
Default profile access setting is false
if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {
return
}
elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie "session.user.clientip" ] ] } {
log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX source IP matched"
return
}
else {
log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX source IP does not matched"
}
}
else {
log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie"
}
set MRHSession_cookie ""
HTTP::cookie remove MRHSession
}
set apm_username [ string tolower [HTTP::username] ]
set apm_password [HTTP::password]
if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {
binary scan [md5 "$apm_password$"] H* user_hash
} else {
binary scan [md5 "$apm_password$src_ip"] H* user_hash
}
set user_key {}
append user_key $apm_username "." $user_hash
append user_key $apm_username
unset user_hash
set f_insert_clientless_mode 0
set apm_cookie_list [ ACCESS::user getsid $user_key ]
if { [ llength $apm_cookie_list ] != 0 } {
set apm_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ]
if { $apm_cookie != "" } {
HTTP::cookie insert name MRHSession value $apm_cookie
} else {
set f_insert_clientless_mode 1
}
} else {
set f_insert_clientless_mode 1
}
if { $f_insert_clientless_mode == 1 } {
HTTP::header insert "clientless-mode" 1
HTTP::header insert "username" $apm_username
HTTP::header insert "password" $apm_password
}
unset f_insert_clientless_mode
}
when ACCESS_SESSION_STARTED {
if { [ info exists user_key ] } {
ACCESS::session data set "session.user.uuid" $user_key
ACCESS::session data set "session.user.microsoft-exchange-client" 1
ACCESS::session data set "session.user.activesync" 1
if { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {
set f_auto_discover 0
ACCESS::session data set "session.user.microsoft-autodiscover" 1
}
}
}
when ACCESS_POLICY_COMPLETED {
if { ! [ info exists user_key ] } {
return
}
set policy_result [ACCESS::policy result]
switch $policy_result {
"allow" {
}
"deny" {
ACCESS::respond 401 content $static::actsync_401_http_body Connection close
ACCESS::session remove
}
default {
ACCESS::respond 503 content $static::actsync_503_http_body Connection close
ACCESS::session remove
}
}
unset user_key
}
What is also strange is the speed of connecting to F5 when synchronizing mails but this can be because of the F5 lab license. It looks like iOS device is taking a long time to connect or some requests that are not validated correctely. I will try on out PROD environment as soon as I do not get any password prompts.
I also put the apm log /debug mode about Kerberos authentication.
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0044:7: /Common/Profile_APM_Airwatch:Common:cc692397: metadata len 397
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0044:7: /Common/Profile_APM_Airwatch:Common:cc692397: metadata len 397
Aug 13 23:05:43 labo-bigip-n1 info websso.3[4819]: 014d0011:6: /Common/Profile_APM_Airwatch:Common:cc692397: Websso Kerberos authentication for user 'user1' using config '/Common/Kerberos_Domain'
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0046:7: /Common/Profile_APM_Airwatch:Common:cc692397: adding item to WorkQueue
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0018:7: /Common/Profile_APM_Airwatch:Common:cc692397: ctx:0x8d896a0 server address = ::ffff:10.10.10.10
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0021:7: /Common/Profile_APM_Airwatch:Common:cc692397: ctx:0x8d896a0 SPN = HTTP/exch2013-3.example.com@EXAMPLE.COM
Aug 13 23:05:43 labo-bigip-n1 debug websso.3[4819]: 014d0023:7: S4U ======> /Common/Profile_APM_Airwatch:Common:cc692397: ctx: 0x8d896a0, user: user1@EXAMPLE.COM, SPN: HTTP/exch2013-3.example.com@EXAMPLE.COM
I hope this explains a little which problem I'm facing.
Kind regards,
Gilles