Forum Discussion

tminfw2's avatar
tminfw2
Icon for Nimbostratus rankNimbostratus
May 06, 2016

Client authentication methods versus Single Sign On methods

Currently, we mostly have the following structure for our APM profiles:

 

  1. Present a logon page
  2. Verify entered username/password using any of these methods: LDAP, AD, Radius,...
  3. Map username and password for single sign on purposes (SSO methods include form based client initiated, kerberos, ntlmv2)

For a project, I was requested to find a way for users on a domain authenticated computer, to not have to enter username and password again(UIse the credentials of the user logged on to the system) We have a similar non F5 setup for this which uses SPNEGO/Kerberos. I understand it is possible for F5 to use a similar way of working by using either NTLM or Kerberos. (You configure for example an AAA Kerberos server, include a "401 response" in the APM profile,...)

 

However, when using these methods, is there a consequence of using SSO profiles? I am doing a POC with Kerberos client side authentication, and have succeeded in the client side authentication. I have however no source for the password I need to use for sso mapping. (The platform I need to integrate with uses ntlmv2)

 

So my questions:

 

  • When using ntlm/kerberos client authentication, are you limited to the sso method you need to use on server side?
  • Is there any way of extracting password, or at least to have it usable for SSO profiles?
  • Hello,

     

    You are right, when choosing Kerberos, client certificate or ntlm authentication, you retrict your capabilities on the authentication mecanism supported on the backend for SSO.

     

    When using authentication mecanism not prompting for password, you can only use kerberos delegation, saml or header based SSO.

     

    • tminfw2's avatar
      tminfw2
      Icon for Nimbostratus rankNimbostratus
      In this case, server side SSO is ntlmv2. If I understand well, does this mean that I am limited to also using ntlm on the client side?
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      If sso is ntlmv2, you have the options to use basic or forms based client auth because we need the password. Ntlmv2 client auth with ntlmv2 sso doesn't make sense and asaik is not supported through apm.
    • tminfw2's avatar
      tminfw2
      Icon for Nimbostratus rankNimbostratus
      Just checked the ntlmv2 SSO config and indeed you need a password source for the SSO profile. I will take this up with my team next week.
  • Hello,

     

    You are right, when choosing Kerberos, client certificate or ntlm authentication, you retrict your capabilities on the authentication mecanism supported on the backend for SSO.

     

    When using authentication mecanism not prompting for password, you can only use kerberos delegation, saml or header based SSO.

     

    • tminfw2's avatar
      tminfw2
      Icon for Nimbostratus rankNimbostratus
      In this case, server side SSO is ntlmv2. If I understand well, does this mean that I am limited to also using ntlm on the client side?
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      If sso is ntlmv2, you have the options to use basic or forms based client auth because we need the password. Ntlmv2 client auth with ntlmv2 sso doesn't make sense and asaik is not supported through apm.
    • tminfw2's avatar
      tminfw2
      Icon for Nimbostratus rankNimbostratus
      Just checked the ntlmv2 SSO config and indeed you need a password source for the SSO profile. I will take this up with my team next week.