For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bengt_Andersson's avatar
Bengt_Andersson
Icon for Nimbostratus rankNimbostratus
Mar 26, 2019

Access to a IIS web server (windows auth) from a standalone client using APM?

We have a scenario like this: We have planned to use standalone infoscreens(linux based i think) that should show content from for example a tfs board (windows auth) and the infoscreens can probably ...
application delivery
BIG-IP Access Policy Manager (APM)
Yoann_Le_Corvi1's avatar
Yoann_Le_Corvi1
Icon for Cumulonimbus rankCumulonimbus
Mar 26, 2019

Hi,

 

Kerberos delegation is not that complex in the end. Check the documentation here

 

In the end it comes down to :

 

- A service Account for the F5 in Active Directory

 

- Create a SPN for that service account

 

- create a SPN for the IIS Computer or service account in active directory like http/iishost.mydomain.com

 

- In the delegation tab of the F5 Service Account, add the IIS SPN in the trusted list, and select "Use Any Authentication Protocol"

 

- Create an Kerberos SSO profile using the F5 Service account / password. - Assign the SSO profile to your APM policy (or Portal resources)

 

Hope this helps. Let us know if not.