Client side Kerberos with Portal Access List object
Hey There,
Hoping somebody can help, tearing my hair out as usual.
I have an access policy which performs the following:
Browser matches IE -> IP Subnet Matches internal -> 401 responce -> Kerberos Auth -> WebTop
The webtop contains some portal access list objects which I'll be configuring with SSO at some stage. For now I'm just trying to get some external links such as Google to work.
In the policy, if the browser or IP Subnet are not matched the user is presented with a logon page via some fall back branches.
When accessing a portal access list link post Kerberos authentication, the web page just sits there as "waiting for etc...". If accessing the same portal access list link post logon page/AD authentication, the link works fine.
The idea here is that Kerberos will silently present the web portal (which it does), and we can authorise an external Linux web host with some post info (that's the SSO part which I'm not quite up to).
I've been through various iterations, including referencing a separate VS for the external site, using iRules to disable the policy when referencing /f5-w- URI's, and even cross comparing session variables between logon page/AD auth and manually assigning them within the Kerberos path.
I'm fairly green when it comes to this (and I haven't even gotten to the SSO yet).
Thanks