Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Skip login page after authenticating to AD/domain

I have a VS which is hosting a website. The website has login page and users can login with their domain/ad credentials. Now we would like to skip that login page for users who are already logged in to their PC with their domain credentials. So basically we would like to skip the login page for the users who are already authenticated by AD/Domain.

I was following this https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.html but its not working. Is there another way?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

In fact, if you want to achieve it you can set up Kerberos auth or NTLM on F5.

But suppose it will work on F5 (kerberos auth) how you will implement sso on your application, if I understand correctly your applicaiton need Username and PWD. but if your authentificaiton is Kerberos in F5 you have only username but no password for sso.

Can you explain this point please, how you will achieve sso in your app once user is auth on F5.

regards,

0
Comments on this Answer
Comment made 27-Aug-2018 by Atee 2

The backend servers are also configured for Kerberos with service account. But I am bit confused! What we understand is, once the client access the VS/URL a Kerberos auth/ticket will be requested by the website with 401 towards the KDS (Key Distribution Server) which will verify if the user is already authenticated to domain. Then Domain/AD will respond to Allow/Deny to that request. Please correct me if I am wrong and we need to approach this differently.

What would be the best way to proceed with this type to SSO configuration.

0
Comment made 27-Aug-2018 by youssef 4046

OK, so what i understand is you don't use apm.

You have an application that is behind a f5 vs. So first of keep in mind that you have to add the new spn to your User account (for kerberos).

For example if you url vs is : app-f5.mydomain.com (Arecord) you have to add spn HTTP/app-f5.mydomain.com to your account user hosted in app.

When you use kerberos auth it seems that you are connected to the internal domain and you can reach the KDC in order to retrieve a kerberos token.

SO when you will contact your app trough your VS your machine will asked a Ticket to KDC for the following SPN HTTP/app-f5.mydomain.com, once you retrieve it you can reach your application.

If no spn exist for this domain the KDC can't provide you a token and of course, you will not be able to access your service with this authentication method. you will have a fallback form for example.

If you want to check if you had retrieve the token open cmd then enter "klist" command.

Hope it's clear,

0
Comment made 27-Aug-2018 by Atee 2

Thanks a Million!!! for your help and quick response.

So just to be clear, other than creating a new spn (service principal name) mapping in the application and Domain Contrller we do not have to do anything on F5. And I can remove the configuration i created by following https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.html. Right?

0
Comment made 27-Aug-2018 by youssef 4046

Hi Atee,

Can you just explain me your context.

User that access to your application are in Internal network that's right? there is no access from outside?

if it's the case, you don't need APM, your application can do the job.

Keep me in touch

0
Comment made 27-Aug-2018 by Atee 2

Yes, its all internal users who will be accessing this application/URL. All users will be accessing this from the machine connected to same Domain as the server hosting application/url.

0
Comment made 27-Aug-2018 by youssef 4046

OK, in this case you don't need APM. especially as your application does kerberos authentication.

if you have already put some things in place, remove APM Part.

Now As I explained you above you need to set Kerberos part in server side if it's not done. You need to add in attribute servicePrincipalName your spn HTTP/fqdn(VIP A record). This servicePrincipalName have to be added in your technical account / machine, depending your backend...

Hope it's clear.

0
Comment made 27-Aug-2018 by Atee 2

Thank a lot for your help and detailed explanation. Much appreciated!!! :-)

0