Forum Discussion
NimbostratusExternal access to F5+APM secured ADFS farm
In relation to this article -
I have a question relating to the scenario where an external user connects to an ADFS Farm which is secured by F5+APM (i.e. not using an ADFS Proxy).
Q) In the link above, after a user enters AD credentials on the F5 APM page, the following is stated - "* Authenticated users are directed to an AD FS server farm member."
After users are directed to the ADFS farm, is it expected that they need to re-enter their credentials on the ADFS page, or are they passed through by the APM?
Thanks in advance
3 Replies
Hi NuttyF5, if the primary intranet authentication method on the AD FS server is set to NTLM/Windows, then the APM NTLM SSO should pass the credentials and sign you on automatically. I think that auth method is set to forms-based by default.
Mike
NuttyF5_120100Hi Mike, Thanks for your response. I've managed to develop a workaround. Below is some information to help other which may have the problem.
Problem description: Using the F5 LTM+APM to reverse proxy ADFS 3.0, either with the release candidates of the iApp (f5.microsoft_adfs.v.1.0.0rc5) or using the manual configuration steps as per the ADFS deployment Guide, resulted in an additional authentication prompt a UPN format username was entered. In our environment, the UPN is internet accessible, whereas the Active Directory domain is private (i.e. UPN = first.last@company.com and AD = company.internal)
This additional authentication prompt only occurred when credentials on the APM logon page were entered in UPN format.
Logon names entered as DOMAIN\User or USER resulted in the following expected result.
"User redirected for APM logon page --> Credentials entered on APM page --> Credentials passed seemlessly to ADFS --> ADFS issues token --> User redirected to Office 365 and logged in... etc"
The configuration changes required to allow a UPN which differs from the Domain Suffix are as follows;
Note: These changes are hard coded. I would suggest it should be possible to use LDAP queries, or branches to handle multiple domains.
Perform the following steps in the VPE;
1) Set "Split domain from full username" to Yes in the Logon Page block 2) Add a Variable Assign object between the AD Auth and SSO Credential Mapping blocks
This contains two entries. Replace and with your AD Domain and UPN respectively, e.g.
upn = company.com
domain = company (NETBIOS shortname)session.logon.last.logonname = if { [string tolower [mcget "session.logon.last.logonname"] ] contains "UPN" } then { return "domain\\[mcget "session.logon.last.username"]" } else { return "[mcget "session.logon.last.logonname"]"} session.logon.last.domain = if { [string tolower [mcget "session.logon.last.domain"] ] contains "UPN" } then { return "domain" } else { return "[mcget "session.logon.last.domain"]"}Hope this helps. I've only been working with these over the last few weeks, so the solution may not be optimal.
One other issue that was found is the guidance in the deployment guide (microsoft-adfs-dg.pdf - v1_6) gives "/adfs/fs/federationserverservice.asmx" as a URI value for the External Monitor. This does not work as the "200 OK" response is not given. Use "/FederationMetadata/2007-06/FederationMetadata.xml" instead to allow the "200 OK" response to work.
On a related note, the rc4 and rc5 releases seem to have been removed from devcentral. The following steps still apply to the manual configuration as per the F5 ADFS Deployment Guide.
- Thanks for the information. I'll look into updating the solution. Regarding the monitor, there was an issue with the curl command that prevented it from working correctly, but that should be fixed in RC5. I've tested it successfully with the /adfs/fs/federationserverservice.asmx URI. Also, something has happened with DevCentral to cause many of the latest templates to disappear. I'll try to find out why that happened.
