Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM different authentication mechanism based on Hostname

Hello,

i wanted to know if it is possible to have for example two different authentication mechanism in one Access Profile and based on the URL which i enter the APM decides which one is used.

Configuration: - One virtual server, assigned with the ECA profile in order to use NTLM authentication ltm virtual vs_app-login-sso { description "App for LDAP Login and NTLM SSO" destination 10.254.3.181:https ip-protocol tcp mask 255.255.255.255 pool pool_app-qual profiles { Login_SSO { } clientssl-insecure-compatible { context clientside } eca { } http_redirect_rewrite_all { } rba { } tcp { } websso { } } rules { irule_ECA_NTLM_Auth } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 17 }

iRule: when HTTP_REQUEST { ECA::enable ECA::select select_ntlm:/Common/ntlm_auth }

And here is the Access Profile: Image Text

So the first entry point is "Landing URI", the profile should decide when i come with the Login URL it should use LDAP Login Page and if i come with the SSO URL it should use NTLM.

Both authentication are working when they are used in seperate profiles but not combined in one.

Is this possible or not? Hope everything is described clearly, if not just ask :)

Thanks, Christoph

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

you can create a TLS servername based routing virtual server and one VS per hostname with dedicated policies.

0
Comments on this Answer
Comment made 14-May-2018 by Christoph Frischhut 134

I was also thinking about such kind of configuration, but the problem is that one user is accessing the Login URL and logs in with LDAP credentials this session parameters needs also be shared with the SSO URL.

Because all links inside from the application are configured with the SSO URL and if i would split it into two VS & two Access Profiles they would be authenticated again via NTLM when they click any link.

Any other ideas?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Use following irule

when HTTP_REQUEST { 
    if {[HTTP::path] starts_with "/ntlm_uri"} {    
        ECA::enable     
        ECA::select select_ntlm:/Common/ntlm_auth       
    }  
}
0
Comments on this Answer
Comment made 15-May-2018 by Christoph Frischhut 134

Just found this article https://devcentral.f5.com/questions/apm-reuse-existing-current-session and i this solution is also working for our configuration.

So i split it to two VS (Login & SSO) and configured both access profiles (LDAP Login & NTLM SSO) to Global scope in order to reuse the session + variables after the Login.

But many thanks to you to guide me in the right direction with the splitting from the virtual server

Cheers, Christoph

0
Comment made 15-May-2018 by Stanislas Piron 9418

after reading again, I don't understand what you wanted to do.

did you want NTLM auth or NTLM SSO?

  • eca profile is required to ask NTLM auth to clients
  • Now you are talking about NTLM SSO

Do you have multiple web sites behind APM? does APM have to change SSO profile depending on the back-end site?

0
Comment made 15-May-2018 by Christoph Frischhut 134

Sorry for the confusion so I'm talking about client NTLM authentication. And the request was to have a web site with two different authentication schemes based on the DNS Name.

login-webapp.company.com -> LDAP Login -> webapp sso-webapp.company.com -> NTLM (ECA) -> webapp

But now i made this configuration with two virtual server using two different access profiles which are configured in Global scope in order to share the session between both profiles.

So it's solved with this config

0
Comment made 15-May-2018 by Stanislas Piron 9418

If you want to manage seamless authentication for some URL and form auth for other, I recommend to configure kerberos instead of NTLM (if clients are browsers).

  • NTLM authentication is before APM evaluation, it is done with irules.
  • Kerberos authentication can be managed in VPE and you can have a fallback to form auth if the user fails kerberos auth.
0