LTM+APM SSO only for designated Subnets

Question

Hi,&nbsp;
we have a Problem we have configured a virtual server with an access policy and NTLM-SSO. We use the authentication only for users of pubic subnets. If a user comes out of a private subnet we do not present a logon page so that the user get passed through and the browser takes the credentials out of the browser for SSO on the site (Sharepoint in my case)&nbsp;
This works but for users where i don't have a logon-page and a SSO mapping i get the error message in the APM log "Could not find SSO username, check SSO credential mapping agent setting". Also depending on the client there are opened up to 30! apm sessions per client &nbsp;
So my question: How can i supress this message and get only one session per client?&nbsp;
Thanks for your answers &nbsp;
Martin&nbsp;

josiah_39459 · Answer

The error just means the SSO credential mapping object in the VPE is looking for a session variable which isn't set (in this case last logon username). So you'd have to edit the SSO credential mapping object to get the username from a session variable which actually exists.

martin_foidl · Answer

Thanks Josiah,&nbsp;
and this is where the problem begins ..... ;)&nbsp;
I don't have a session variable where i can write in the credentials because i only pass them through so that the user does not have to enter credentials in a webtop form. We have this because we want external users to get pre-authenticated (Form-based) and internal users to just get passed through! So the main problem is that i need the SSO configuration on the VS for the external users but for internal users i does not need it because they get only passed through.&nbsp;
I've attached an image of the policy below.&nbsp;
&nbsp;
Thanks Martin&nbsp;

josiah_39459 · Answer

Thanks, that picture clears things up.&nbsp;
You need to disable sso then for the internal case.  Just add an irule event trigger and have an irule disable sso (WEBSSO::disable)&nbsp;

martin_foidl · Answer

I think I am doing something wrong writing the iRule&nbsp;
I created an iRule "xxx" containing&nbsp;
when ACCESS_POLICY_AGENT_EVENT {&nbsp;
  set WEBSSO::disable
}&nbsp;
Then I added the iRule Event in a Box with the ID xxx in the VPM and attached the iRule to the VS but it will not work :/&nbsp;
in LTM Log I get &nbsp;
TCL error: /REVERSE_PROXY/apm_disableSSO  - can't read "WEBSSO::disable": no such variable     while executing "set WEBSSO::disable"&nbsp;

stanislas_piro2 · Answer

Hi,
WEBSSO::disable must be applied to every request and not when user authenticate...
the best way is to disable APM base on IP address in an irule:
when HTTP_REQUEST {
    if { [IP::addr [IP::local_addr]/8 eq 10.0.0.0] || [IP::addr [IP::local_addr]/12 eq 172.16.0.0] || [IP::addr [IP::local_addr]/16 eq 192.168.0.0]} {
        ACCESS::disable
        return
    }
}

Forum Discussion

LTM+APM SSO only for designated Subnets

6 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Using Client Subnet in DNS Requests

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1