Client Certificate Authentication Big IP issue on iOS devices

Question

Hi everyone,&nbsp;
We have 3 IIS servers running on HTTPS and load balanced with Big IP.  We configured Client certificate authentication on the IIS servers (many-to-one, one client certificate can be used for multiple users). At first, everything seems to be OK. We tested on the computers running different versions of Windows and there was no issue happen. However, when testing with iOS devices (iPhone, iPad), if the device has more than 2 profiles (client cert) installed, Safari will keep asking for selecting certificate each time you go to a page in the website. And that was a terrible experience for the iOS users. 
We guess this issue was caused by the configuration from BigIP. But since Big IP system is managed by different team from other company, so we have so little information on how our pool was configured. Can anyone suggest any idea that what we need to tell to the BigIP team to check or change the configuration?
Any helps would be great appreciated.&nbsp;

jaikumar_f5 · Answer

I'm sure this will be dealt with an Irule. You can ask the F5 team to check the Irule CLIENTSSL_CLIENTCERT events, as this is the event which looks if a client has provided a cert. Hope this Q&A also give you some tips

¬†

nam_truong_3245 · Answer

Thanks jaikumar for your reply.
So you mean BigIP team enabled this Irule or this is enabled by default? And the solution is to disable this Irule?&nbsp;

jaikumar_f5 · Answer

No no, that's not I meant. I'm pointing to check in this direction with the BigIP team. The BigIP team would be dealing with Irules to handle these scenarios. They would have put data-groups for different user-agents and how to respond bases on that. If its browser based, it acts differently and if its mobile user agent, it would act differently. These are defined in the Irule. Explain them that they may need to check the F5 Irule to handle these exceptions.

nam_truong_3245 · Answer

Hi jaikumar,&nbsp;
I just setup the test environment with Windows NLB and I see that the same issue also appears like the real environment with BigIP. iOS device which has more than 2 client certificates will be asked for certificate selection each time clicked on a link/item. I already set NLB in Windows Server to Affinity mode: "Single" but there's still no changes. So I wonder if this issue is from iOS (safari) itself or caused by the Load Balancer? Do you have any idea?&nbsp;

jaikumar_f5 · Answer

Can you share the VS configuration. Mask wherever needed.&nbsp;

Forum Discussion

Client Certificate Authentication Big IP issue on iOS devices

6 Replies

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

unsupported certificate error with device certificates

APM Clientless certificate authentication

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

BIG-IQ Client Certificate (PKI) Authentication

Doing mTLS Authentication per URL