Forum Discussion
Pete_L_112517
Nimbostratus
NimbostratusKerberos & NTLMv2 via SSL VPN virtual server (mobile devices SSL VPN via APM)
Once again I'll start off here stating I'm quite green with F5. I can manage a lot of the basics, but this one I'm not sure on.
We are using F5 APM for Mobile Device and VPN on demand to interna...
Kevin_Stewart
Employee
EmployeeUnfortunately no. NTLM authentication is a challenge/response protocol that requires knowledge of the user's password. Client certificate-based authentication does indeed impose some limitations, but consider the following additional possibilities:
-
HTTP headers - your APM is a trusted proxy in front of the application (no traffic is passing to the application unless the client presents a certificate and that certificate is vetted). In some cases it's fairly simple to replace an application's typical user/pass authentication process with a header consumption function.
-
Generalize user passwords - given that the users may never need their passwords for anything else, you could reset the passwords to some single, ridiculously long value, and let APM use that and the user's UPN to submit forms-based, Basic, NTLM, or other user/pass authentication. Admittedly this is a stretch, but I've had to do this for applications that simply do not support anything else but user/pass logon.
-
SAML - if the application supports SAML 2.0, your APM IdP could request and validate the client certificate and send it a valid SAML assertion for logon.