F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

marcesullivan_2's avatar
marcesullivan_2
Icon for Nimbostratus rankNimbostratus
Apr 21, 2016

Can APM be used to restrict access to users that fail Kerberos authentication?

Currently our access policy is configured to use SSO with Kerberos authentication to log users into our sharepoint site. The problem we are having is that even when users aren't receiving a Kerberos...
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 26, 2016

Okay, so your original statement,

"The problem we are having is that even when users aren't receiving a Kerberos ticket they're credentials are still being passed along and they are being logged in to the sharepoint site"

still applies? If so, it's very likely that the client is sending in credentials via Authorization header. So it's just a matter of removing that at the front door.

when HTTP_REQUEST {
    if { [HTTP::header exists Authorization] } {
        HTTP::header remove Authorization
    }
}

This will keep any client-initiated authentication from passing through to the internal applications.