Forum Discussion
Daniel_W__13795
Nimbostratus
NimbostratusKerberos 401 authentication with form fallback
Hello,
we are using APM for SAML authentication. Domain joined machines should authenticate transparently with Kerberos, users without the ability to use Kerberos (non domain joined, Firefox wit...
JoeTheFifth
Altostratus
AltostratusYou can but it you need a few requirements:
Add the web app hostname or a wildcard domain name like *.mywebapp.com to the intranet zone (ie, chrome) or trusted.uris (firefox). Safari is out of the game here sorry. All devices should do this even people not in your AD domain. This won't work for people coming from the internet but will do for partners coming from an internal network and using your AD domains or a trusted domain.
Now you need an ECA Profile enabled on the VS.
This also requires an NLTM configuration with an computer object created in you Active Directorry.
This way all devices will need to do an NTLM challenge with this computer (F5 computer object created in AD) and you will have to use an iRule to decode the NTLM message and get the user/domain info.
All allowed domains (datagroup list or inside the irule) for which you don't need an APM login page wll do an sso login (automaric login). All the domains not in the allowed list will be redirected to the APM login page.
It's not a straightforward task but I have it all set up and running.