Forum Discussion

joesnyder_13328's avatar
joesnyder_13328
Icon for Nimbostratus rankNimbostratus
Jun 22, 2015

APM Policy Error when logging in "Session cannot be established"

I am having an issue with APM I am hoping someone can help me with. I currently have a fairly basic policy setup using an external logon page. It then checks two domains to see if the user is part of either of those domains. I created a custom ending that redirects to the user back to the logon page if they are unable to be authenticated, and checked the box to close session data after redirect. The problem I am running into is it seems that if the user enters an incorrect password it brings them back to the logon page but no matter if they enter the correct password or an incorrect password they get the error:

 

"Your session could not be established.

 

BIG-IP can not find session information in the request. This can happen because your browser restarted after an add-on was installed. If this occurred, click the link below to continue. This can also happen because cookies are disabled in your browser. If so, enable cookies in your browser and start a new session."

 

Anyone have any ideas on why the user cannot login the second time around?

 

 

access policy
APM
redirect
security

4 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jun 22, 2015

    Are you sure external logon page POST is working? Did you change "Max Logon Attempts Allowed" to 1 to go through fallback if the user does not exist in the first AD? What is the format of username?

    • username (SAMAccountName)
    • Domain\user
    • username@fqdndomain (userprincipalname)

    if provided username is not SAMAccountName, the better way is to define branches in the external logon page with expression like:

    expr { [mcget {session.logon.username}] ends_with "@domain1.local" || [mcget {session.logon.username}] ends_with "domain1\\"}

    and authenticate on the right AD.

  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    May 19, 2016

    Or could it be that the user bookmarked the logon and the bookmark is directly to the external logon page. If they do this and submit the form, APM won't have a session to associate to it and will issue this error message.

     

    That was the case (and mystery) here. We found out that the user was clicking on a bookmark they had made.

     

    • Mrk_'s avatar
      Mrk_
      Icon for Nimbostratus rankNimbostratus
      Sep 14, 2016

      We're having the same issues for our websites. Our customers are from all around the country, we can't make them not bookmark the login page ;-). It's a very common thing to do, so I hope there's solution for this.

       

      They load their bookmark and get to the login form. When they POST their info to the "my.policy", APM comes back with the error that no session exists.

       

      Is there a way to create a new session on-the-fly when a user doesn't have one yet or anymore? And obviously, the request should still continue, otherwise they'd have to login _again_.

       

      I don't think there's a setting for this, but I can imagine an iRule could possibly take care of this.

       

    • Mrk_'s avatar
      Mrk_
      Icon for Nimbostratus rankNimbostratus
      Sep 14, 2016

      Hm, I may have been able to solve this after all... I came accross this page: https://devcentral.f5.com/wiki/APM.AcceptPostedCredsfromExternalSite.ashx.

       

      In that example, after the block that checks if the credentials are set, you get redirected to the "External Logon Page". Instead of that, I made an ending "Redirect" to this logon page with also closing the session.

       

      Instead of POST-ing to "/my.policy" (which requires you to have a session), we post to the "/fake" and that way a new session will be created if it doesn't exist yet.

       

      I need to check this thoroughly of course, but thought I'd share the approach here anyway.