Layer7 API Management

  • 1.  Issue while using Require Windows Integrated Authentication Credentials assertion

    Posted Jun 28, 2017 08:20 AM

    Hi,

    I am facing an issue when using the require windows integration assertion. When the policy is executed the first time, the policy is failing at this assertion with authentication required error and on executing it immediately afterwards, it is completing successfully. In the debug mode, the policy fails at this point and this assertion is positioned as the second in the list of assertions inside the policy. Can anyone please help if they have come across a similar scenario? I am unable to make out why this is occurring.

     

    Regards,

    Shwetha



  • 2.  Re: Issue while using Require Windows Integrated Authentication Credentials assertion

    Broadcom Employee
    Posted Jul 05, 2017 02:08 PM

    Shwetha,

     

    Would you be able to attach your policy for review? The ordering of it may affect how the policy reaches back to the client to get the Kerberos token established.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: Issue while using Require Windows Integrated Authentication Credentials assertion

    Posted Jul 07, 2017 09:25 AM

    Hi Shwethay ,

     

    As per Stephens update, please attach the policy so it can be reviewed.

     

    Regards

    Seenu Mathew



  • 4.  Re: Issue while using Require Windows Integrated Authentication Credentials assertion

    Posted Jul 18, 2017 02:29 AM

    Hi Seenu_Mathew

     

    Sorry for the late response. The order in which the policies are is as below:

     

    1. Require SSL or TSL transport

    2. Require windows integrated authentication credentials

    3. Generate oauth 1.0 HMAC-SHA256 signature

    4. Route via HTTP using the signature

     

    What I observed is that the first time we hit the endpoint, the authentication is failing at step 2, however there is another attempt made immediately which succeeds and we are able to get the response. So although if we use a debugger, there is an error in the debugger due to failure, we get the correct response due to the second attempt being successful.

    I was trying to capture the failure as part of error logging and I have used the following assertions for that and now when I try to hit the endpoint, it fails everytime. Can you please check and let me know what could be the issue.

     

    2.a Atleast one assertion must evaluate to true

        a.1 Atleast one assertion must evaluate to true

              Require windows integrated authentication credentials

      a.2 All assertions must evaluate to true

            Customize error response

            Raise error



  • 5.  Re: Issue while using Require Windows Integrated Authentication Credentials assertion

    Posted Jul 18, 2017 05:03 AM

    Hi Shwetha,

     

         Kindly provide your configuration screenshot. Something wrong in your configuration due to which it always failing.

     

    Regards

    Rajasekhar



  • 6.  Re: Issue while using Require Windows Integrated Authentication Credentials assertion

    Posted Jul 18, 2017 05:13 AM

    Moreover the configuration should be like below for especially authentication part.

     

    2.a Atleast one assertion must evaluate to true

        a.1 All assertion must evaluate to true

              Require windows integrated authentication credentials

        a.2 All assertions must evaluate to true

             Customize error response

             Raise error

    Here if first block validation fails then only it will go to custom error other wise it will goes thru.

    But any how please provide your configuration screen shot.

     

    Regards

    Rajasekhar



  • 7.  Re: Issue while using Require Windows Integrated Authentication Credentials assertion

    Broadcom Employee
    Posted Aug 03, 2017 01:21 AM

    Shwetha,

     

    The problem is that the Kerberos Token handshake is handled over multiple calls. The initial call contains no authentication so it fails back to the client requesting negotiate with the SPN needing to be obtained from the Kerberos environment, the client will then request the token from the Kerberos environment using the stored credentials on the Windows client machine, then once the Kerberos token is returned to the client the client will send it through to the gateway in the Authorization header.

     

    If the Require Windows Integrated Authentication Credentials assertion receives a Authorization header that it can validate against the keytab then it will progress past. This token is only one part of the validation as you should have Authenticate against Identity Provider assertion pointing to the same AD environment.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support