Forum Discussion
NimbostratusCan APM be used to restrict access to users that fail Kerberos authentication?
Currently our access policy is configured to use SSO with Kerberos authentication to log users into our sharepoint site. The problem we are having is that even when users aren't receiving a Kerberos ticket they're credentials are still being passed along and they are being logged in to the sharepoint site (I assume they are being logged in with NTLM). Is there something that can be added to the access policy that can recognize that the user has failed the Kerberos piece and not pass their credentials along and thus deny them access?
5 Replies
- Kevin_Stewart
Employee
So you're doing client side AND server side APM Kerberos?
And if so, is it that the client's Authorization (Negotiate) header is passing through the BIG-IP?
- Kevin_Stewart
Not sure I understand then. Your original question suggested that you're using APM Kerberos SSO, which is server side authentication.
marcesullivan_2
Yann_DesmarestCirrus
Hello,
If kerberos SSO fail, the WebSSO process stop trying kerberos delegation. In some cases, I implemented a VIP targeting VIP architecture when the front VIP rewrite 401 response before they reach the customer and replace it with a 200 OK and set-cookie to force expiration of MRHSession and LastMRH_Session. This way, if SSO fail, you close the APM session.
- Kevin_Stewart
Okay, so your original statement,
"The problem we are having is that even when users aren't receiving a Kerberos ticket they're credentials are still being passed along and they are being logged in to the sharepoint site"
still applies? If so, it's very likely that the client is sending in credentials via Authorization header. So it's just a matter of removing that at the front door.
when HTTP_REQUEST { if { [HTTP::header exists Authorization] } { HTTP::header remove Authorization } }This will keep any client-initiated authentication from passing through to the internal applications.
