I have a VS which is hosting a website. The website has login page and users can login with their domain/ad credentials. Now we would like to skip that login page for users who are already logged in to their PC with their domain credentials. So basically we would like to skip the login page for the users who are already authenticated by AD/Domain.
I was following this https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.html but its not working. Is there another way?
In fact, if you want to achieve it you can set up Kerberos auth or NTLM on F5.
But suppose it will work on F5 (kerberos auth) how you will implement sso on your application, if I understand correctly your applicaiton need Username and PWD. but if your authentificaiton is Kerberos in F5 you have only username but no password for sso.
Can you explain this point please, how you will achieve sso in your app once user is auth on F5.
The backend servers are also configured for Kerberos with service account. But I am bit confused! What we understand is, once the client access the VS/URL a Kerberos auth/ticket will be requested by the website with 401 towards the KDS (Key Distribution Server) which will verify if the user is already authenticated to domain. Then Domain/AD will respond to Allow/Deny to that request. Please correct me if I am wrong and we need to approach this differently.
What would be the best way to proceed with this type to SSO configuration.
OK, so what i understand is you don't use apm.
You have an application that is behind a f5 vs. So first of keep in mind that you have to add the new spn to your User account (for kerberos).
For example if you url vs is : app-f5.mydomain.com (Arecord) you have to add spn HTTP/app-f5.mydomain.com to your account user hosted in app.
When you use kerberos auth it seems that you are connected to the internal domain and you can reach the KDC in order to retrieve a kerberos token.
SO when you will contact your app trough your VS your machine will asked a Ticket to KDC for the following SPN HTTP/app-f5.mydomain.com, once you retrieve it you can reach your application.
If no spn exist for this domain the KDC can't provide you a token and of course, you will not be able to access your service with this authentication method. you will have a fallback form for example.
If you want to check if you had retrieve the token open cmd then enter "klist" command.
Hope it's clear,
Thanks a Million!!! for your help and quick response.
So just to be clear, other than creating a new spn (service principal name) mapping in the application and Domain Contrller we do not have to do anything on F5. And I can remove the configuration i created by following https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.html. Right?
Can you just explain me your context.
User that access to your application are in Internal network that's right? there is no access from outside?
if it's the case, you don't need APM, your application can do the job.
Keep me in touch
Yes, its all internal users who will be accessing this application/URL. All users will be accessing this from the machine connected to same Domain as the server hosting application/url.
OK, in this case you don't need APM. especially as your application does kerberos authentication.
if you have already put some things in place, remove APM Part.
Now As I explained you above you need to set Kerberos part in server side if it's not done. You need to add in attribute servicePrincipalName your spn HTTP/fqdn(VIP A record). This servicePrincipalName have to be added in your technical account / machine, depending your backend...
Hope it's clear.
Thank a lot for your help and detailed explanation. Much appreciated!!! :-)