APM - Log user into backend webpage as a different account

Question

I thought I saw an example of this on the forums but I can't 'seem to find it.  Does anyone have any direction for this scenario:&nbsp;
-Want to log a user into APM as a user from domain A.
-If they auth successfully (and pass a group membership check)
-Forward them to the backend pool but log them into that backend webserver as an account from Domain B (a generic service account for instance).
-The service account they would be logged in as would be determined by their group membership in domain A.&nbsp;
The backend server would be windows integrated authentication.&nbsp;

arnaud_lemaire · Answer

Hi,&nbsp;
if kerberos is an option to the backend, you coulddo kerberos constraint delegation with a kerberos sso profile to your app.&nbsp;
In you VPE after the pre authentication and group membership validation you assign variables session.sso.token.last.username and session.logon.last.domain according to group membership. &nbsp;

Forum Discussion

APM - Log user into backend webpage as a different account

1 Reply

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Questions on R-Series 5800s

Questions on Migrating configs from iSeries to RSeries F5s

Random TCP Resets from F5

Create Domino LTPA token on F5 problem

RDP persistence with SNAT

Related Content

SSL Offloading and Backend pool https

DNS load balancing to backend servers using GTM/LTM.

webpage not loading with http profile

iRule to Force Source IP to Specific Backend Node

The same static variable in different iRules/VS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS