Forum Discussion

alex100's avatar
Icon for Cirrostratus rankCirrostratus
Mar 08, 2016

NTLM SSO across Virtual Servers behind multiple appliances

Hi all,


I have several virtual servers across several environments that require Single Sine on. All applications on the back use NTLMv2 for the authentication. The challenge is to implement SSO between multiple LTM-APM appliances which do not know about each overs sessions. Is this even possible?




5 Replies

  • I guess Alex wants to achieve the following scenario:


    User wants to connect to application1, which is behind LTM/APM1. There APM displays logon mask, because it's a new session. Then APM performs authentication towards whatever and the makes SSO towards application1.


    Now the same user wants to connect to application2, which is behind LTM/APM2. Here the user prefers to don't get any logon mask and that his SSO information from application1 will be used automatically.


    I also would agree with Rabbit23, that such a setup is not possible. But I would be very interested in the solution if I'm wrong here.


    Ciao Stefan :)


  • Sorry Alex, I'm still not completely understanding. Each LTM+APM appliance maintains a unique session for the services it provides. You can SSO to one appliance, and at the same time SSO to another appliance for a separate service. Where exactly is the issue you are experiencing?
  • I don't think this is possible. session database and or cookies is not shared between F5's outside of a HA pair.
  • My virtual servers do not live on the same Big-IP unit. They are scattered across several physical appliances all running 11.6. How is it possible to for one LTM+APM know what is in the session variables of an over LTM+APM? Where will it obtain values for password variable for instance?
  • Can you clarify your question? If I'm understanding you correctly, you are looking to ensure that end users have SSO to all of the applications. If that is the case, then it shouldn't matter how many LTM+APM appliances there are in the mix, as each session would be individually setup for SSO.