Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Kerberos 401 authentication with form fallback

Hello,   we are using APM for SAML authentication. Domain joined machines should authenticate transparently with Kerberos, users without the ability to use Kerberos (non domain joined, Firefox wit...
BIG-IP Access Policy Manager (APM)
kerberos
security
SSO
Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account

I don't immediately see how it's possible to tell if a PC is able to authenticate without asking it via a 401, which produces a browser auth pop-up. Is there anything in the initial HTTP request that you can use to tell this class of clients from the other class of clients?

 

Well, perhaps you could use Group-Policy IEM tool to modify the User-Agent and show the 401 to only those guys via some simple VPE logic? But they would have to use only IE, unless there is some way to do this with Firefox to a group of PCs.

 

https://technet.microsoft.com/en-us/library/cc770379.aspx

 

Nolan_Jensen's avatar
Nolan_Jensen
Icon for Cirrostratus rankCirrostratus
Aug 06, 2018

AN,

 

I don't have a answer for you but wanted you to know I originally reported this as working. However just had a report today that when I have a non domain joined computer connected to our network the browser will prompt for username and password. You have the configuration the same as I do so appears to be an issue.

 

I can also confirm what Chris said if I cancel the browser login prompt I am then taken to my F5 login page and have no issues getting to allow ending.