For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mf5's avatar
mf5
Icon for Nimbostratus rankNimbostratus
Aug 27, 2018

APM Kerberos authentication

Hello,   Presently we have webmail using 2F-authentication (AD & OTP)   i want to know whether client side authentication uses kerberos between APM and AD?   Thanks.  
application delivery
BIG-IP Access Policy Manager (APM)
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 27, 2018

How APM authenticates a client is completely dependent on how you define authentication in an access policy. For AD, those options can include:

 

  • 401 and 407-based Kerberos authentication - where there client requests a Kerberos service ticket from the AD for access to a service. Here the client contacts the AD (via Kerberos negotiation).

     

  • 401 and 407-based NTLM authentication - where APM presents an NTLM challenge-response to the client, and verifies the client's response against the AD. Here APM contacts the AD via NTLM/RPC negotiation.

     

  • 401 and 407-based Basic authentication - where APM queries the AD via AD query (Kerberos) or LDAP query to validate a user.

     

  • Forms-based authentication - where APM queries the AD via AD query (Kerberos) or LDAP query to validate the user.

     

There is no "default" method. You would choose which method(s) you want to use with clients.