Forum Discussion
I've been able to successfully implement a basic access policy using an F5 login page, AD auth and AD query before, it's mainly the Kerberos SSO element that I'm having difficulty with. I've been on the APM training, but this degree of SSO wasn't covered from memory (at least not in any detail)...
Just to be clear, are you talking about client side Kerberos (where the client presents a Kerberos ticket to APM), server side Kerberos (where APM performs Kerberos-based SSO to internal resources), or a combination of both?
One other issue to add to the mix, is that my client needs the login page to be SSL but the majority of the content that it gives access to will be unencrypted. There might be some design considerations there also.
There will absolutely be some design considerations with this one. Most important, once a user has authenticated and has a session cookie, they should continue to use HTTPS (even for non-auth resources). You could, technically, use path and/or secure attributes in the session cookie to guarantee it doesn't get exposed to clear text HTTP, but your very best and probably most secure (and easiest) option is to stay in an SSL session after authentication.
This is just an (untested) idea, but you could create TWO VIPs - one LTM HTTP VIP and one APM HTTPS VIP (same host name/IP and same pool), then simply redirect users to the HTTPS VIP if they request a specific URI (based on data group for example). Make sure that the secure option is set in the access profile so that cookie isn't accessible to the HTTP VIP.