Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. SSO / ESP

Forms Based - In particular browsers, the ESP Login Form just refreshes after login and does not redirect to the Server

Updated

Issues may be experienced with Edge Security Pack (ESP) which affect one browser but not another. Specifically, an issue which may occur is that no error is returned but the page redirects to an empty ESP form. In many cases the problem is due to the trust setting on the browser.
 
If this issue is occurring - check the following when logging on:
  • A cookie is set for the session after logging in through ESP
  • This cookie is used in the subsequent requests
The typical transaction when using ESP form-based authentication is described below.
 
In this example the domain name is mail.contoso.com.
 
 
 
1. Access https://mail.contoso.com/owa.
2. The LoadMaster redirects the user to https://mail.contoso.com/lm_auth_proxy?...
3. Enter user credentials and click Submit. This generates a HTTP POST to the LoadMaster containing the credentials.
4. If the login is successful the user is redirected to https://mail.contoso.com/owa, with a Set-Cookie in the response containing a cookie to use for the subsequent connection. The presence of this cookie allows connection through ESP.
5. The user can then access https://mail.contoso.com/owa by submitting the request, including the cookie returned in step 4.
 
In some cases, if the browser's trust settings are incorrect, the Set-Cookie which is set in step 4 is ignored and the request sent in step 5 does not contain the cookie. In this case the connection is not trusted and is redirected to the https://mail.domain.com/lm_auth_proxy?.... page in step 2.
 
Correct behavior:
The following screen-shots show the correct behavior.
The output is from using IE F12 Developer Tools (press F12 and click on Network in the upper toolbar).
 
The first line shows step 3.
A HTTP POST is generated by the client and (with the correct credentials).
The user is redirected to the original page requested - /owa (302 response) and a cookie is set which will allows this connection through ESP.
 
 
The Response Header from LoadMaster contains "Set-Cookie"
  
Then the client requests the original URL again but this request includes a cookie which allows the connection through.
 
 
The OWA web page should then successfully display as the user is logged in.
 
 
Incorrect behavior:

A user tries to access /owa and is redirected to the ESP Form for authentication.

A user inputs data in ESP Form. This generates a HTTP POST when the Submit button is clicked.

Login Credentials are correct. ESP sets a Cookie see Set-Cookie field below. User is redirected to originally requested page (/owa) - 302 Found.
 
 
The user then requests a GET /owa but, due to a Trust issue on the browser, the request does not include the cookie set previously. This cookie is required in order to be allowed past ESP.

(No cookie in below GET)

 

As a result, the user is redirected back to the ESP Page. (/lm_auth_proxy)

 
If symptoms such as those above are seen, it is important to check the Security/Privacy settings on the Browser.
 
 
In each case, the browser must accept cookies from the domain protected by ESP e.g mail.domain.com in this example.
 
 
Modify the Browser Security/Privacy Settings to Resolve the Issue
 
The following sections show you how to navigate to the browser Security/Privacy settings for different browsers.
 
 
Internet Explorer:
 
Go to Internet Options > Privacy > Advanced.
 
Ensure that Third-party Cookies is set to Accept.
 
 
 
Chrome:
Go to Settings > Show Advanced Settings > Privacy > Content Settings > Cookies.
Ensure the Allow local data to be set check box is selected.
 
 
Firefox:
 
Go to Options > Privacy.
 
Ensure that the History settings are set to Firefox will: Use custom settings for history and Accept third-party cookies: Always.
 
Safari:
 
 
Apple iPhone/iPad.
 
Go to Settings > Safari > Block Cookies.
 
 
ESP will fail if the settings are set as in the above screenshot.
 
For ESP to work, either the Allow from Websites I Visit or Always Allow option must be enabled.
 
 
 
 
  
Android:
 
Click the default browser. Go to Menu > Settings > Privacy > Accept Cookies.
 
 
Chrome (in Android):
 
Go to Settings > Site Settings > Cookies. 
 
 
 
 * Note: If these symptoms are seen in Internet Explorer but not in other Browsers it may be an issue with the domain name used. Internet Explorer does not Trust cookies associated with Domains which
a. contain "_" 
b. are two letters long e.g. ab.cd
 
If either of the above conditions exist, even with changes to the Trust settings IE will still not Trust the cookies.
 
 

Comments

In this document