Forum Discussion

Bengt_Andersson's avatar
Bengt_Andersson
Icon for Nimbostratus rankNimbostratus
Mar 26, 2019

Access to a IIS web server (windows auth) from a standalone client using APM?

We have a scenario like this: We have planned to use standalone infoscreens(linux based i think) that should show content from for example a tfs board (windows auth) and the infoscreens can probably send username/password in the request, can we use APM to "convert" the username password (we could use a service account in the AD domain for this) to access the windows authentication IIS site, the tfs guys don't want to enable basic Auth for some issues with tfs using BA. I am i little confused here had a tip about Kerberos delegation but that looks very komplex to fix this? Need some help here!

 

Regards, Bunkemannen

 

APM
application delivery

1 Reply

Sort By
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Mar 26, 2019

    Hi,

     

    Kerberos delegation is not that complex in the end. Check the documentation here

     

    In the end it comes down to :

     

    - A service Account for the F5 in Active Directory

     

    - Create a SPN for that service account

     

    - create a SPN for the IIS Computer or service account in active directory like http/iishost.mydomain.com

     

    - In the delegation tab of the F5 Service Account, add the IIS SPN in the trusted list, and select "Use Any Authentication Protocol"

     

    - Create an Kerberos SSO profile using the F5 Service account / password. - Assign the SSO profile to your APM policy (or Portal resources)

     

    Hope this helps. Let us know if not.