For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Kerberos 401 authentication with form fallback

Hello,   we are using APM for SAML authentication. Domain joined machines should authenticate transparently with Kerberos, users without the ability to use Kerberos (non domain joined, Firefox wit...
BIG-IP Access Policy Manager (APM)
kerberos
security
SSO
bradhanson's avatar
bradhanson
Icon for Altocumulus rankAltocumulus
Jan 29, 2021

Thanks again, Kevin. Appreciate all you are sharing.

So then, we have devices that are not joined to the domain.. or are not setup for Kerberos. Before the 401 query, is there something that can be done to check to see if the client/client browser is joined so a 401 negotiate is only done when they are able to respond?

Our current situation is that some devices don't have a policy that provides for this and they should be presented with a login form by APM.

Think I will open a support ticket to see what they might be able to suggest.