Client authentication methods versus Single Sign On methods
Currently, we mostly have the following structure for our APM profiles:
- Present a logon page
- Verify entered username/password using any of these methods: LDAP, AD, Radius,...
- Map username and password for single sign on purposes (SSO methods include form based client initiated, kerberos, ntlmv2)
For a project, I was requested to find a way for users on a domain authenticated computer, to not have to enter username and password again(UIse the credentials of the user logged on to the system) We have a similar non F5 setup for this which uses SPNEGO/Kerberos. I understand it is possible for F5 to use a similar way of working by using either NTLM or Kerberos. (You configure for example an AAA Kerberos server, include a "401 response" in the APM profile,...)
However, when using these methods, is there a consequence of using SSO profiles? I am doing a POC with Kerberos client side authentication, and have succeeded in the client side authentication. I have however no source for the password I need to use for sso mapping. (The platform I need to integrate with uses ntlmv2)
So my questions:
- When using ntlm/kerberos client authentication, are you limited to the sso method you need to use on server side?
- Is there any way of extracting password, or at least to have it usable for SSO profiles?