Windows credential with APM

Question

Hi all,
my boss has ever good ideas to destroy my happiness and he ask me to create a SSO system to access on a HTTP page using windows logon credentials without show at the users the login from.
I have APM and LTM modules but I don't know if there is a way to perform this request.&nbsp;
Any idea?&nbsp;
Thanks in advanced.&nbsp;

josiah_39459 · Answer

It sounds to me like you want to use APM and use Kerberos Auth (SPNEGO) which has the client get a ticket from the domain server directly and then send that ticket to the APM.  Then you can put your webserver in a pool behind the Kerberos auth APM.  No popup will be shown as long as your browser is configured to send Kerberos auth on a 401 (the method of configuring this is different in IE or Firefox, but you can likely push out the IE config via group policy).&nbsp;
Here is the guide for the APM configuration part:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-2-0/4.html&nbsp;

djzoidberg_2313 · Answer

Hi Josiah, thanks for answer.
I have a correlated question. This method can be used if I have a web application server out of my domain but is able to talk with Active Directory?
I try to explain better. The web page is hosted by a cluster of Cisco Call Manager (I'm talking about self care portal) and this servers, balanced by LTM F5, aren't joined on the domain but they talk with AD for authentication of the users.
In this case, I think, kerberos isn't the right way.
It could make sense?

josiah_39459 · Answer

Well, if your boss is ok with a logon page on the APM, you can use whatever SSO you want to the backend servers.  If you don't want to enter anything in a logon page or a popup, then you want client certs, or kerberos spnego, or you could even do NTLM or Basic Auth.  I think you need to definitely clear up your boss' requirements regarding what applies to front-end (client to f5) and what applies to backend (f5 to servers), and what type of auth your servers use (if any)

Forum Discussion

Windows credential with APM

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

OWASP Automated Threats - Credential Stuffing (OAT-008)

Leaked Credential Check with Advanced WAF

Creating a Credential in F5 Distributed Cloud for Azure

XC - azure cloud Credentials issues

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows