kerberos and ntlm authentication using APM

Kevin,

 

Hi, thanks for the response, it will take me a wee while to absorb all that you are saying, however, one of the areas where I am really struggling is with the "access policy" editor. Here there are many choices, and truthfully, I am not sure that I have enough information to make an informed decision. Here is my current access policy...

 

 

Start---->fallback---->[HTTP 401 Response]---->basic---->[Deny]

 

[HTTP 401 Response]---->negotiate---->[Allow]

 

[HTTP 401 Response]---->fallback---->[Logon Page]---->fallback---->[AD Auth]---->successful---->[SSO Credential Mapping]---->fallback---->[Allow]

 

[AD Auth]---->fallback---->[Deny]

 

 

From the Logon page, going forward, I have a working setup with NTLMv1 authentication. Chosen at the SSO credential mapping stage, but I am really unsure, if I want to put an HTTP 401 response object before this to handle Kerberos(just seems wrong). I have put this there, but I am pretty sure it is not handling kerberos at all, as my policy is still using NTLMv1.

 

 

It is really all the predefined actions, that are availble when you access the plus sign in the access policy editor, that to me have very little or poor documentation(it is very probably they do have good documentation, and I don't know where to find it) - I have copied the object list below, but I am really struggling to know what each one does, and what a typical scenario might be for kerberos(for example to I need to define a Kerberos AAA server object or not?). I appreciate that all this falls between two stools, F5 and Microsoft, but I assume I am not the first person to do this, and am looking for as much help and documentation as possible.

 

 

thanks to any and all for bearing with me on this one.

 

 

Sc0tt...

 

 

 

object options for access policy objects

 

General Purpose

 

Date TimeCreate branch rules based on timeLogon PageWeb form-based logon page for collecting end user credentials

 

HTTP 401 ResponseHTTP 401 Response for Basic or SPNEGO/Kerberos authenticationExternal Logon PageRedirect user to externally hosted web form-based logon page

 

Full Resource AssignAdvanced expression-based assignment of Connectivity Resources, Webtop, and ACLsResource AssignSimple assignment of Connectivity Resources

 

ACL AssignSimple assignment of on-box created Access Control Lists (ACLs)Webtop and Links AssignSimple assignment of Webtop and Webtop Links

 

Pool AssignAssign Local Traffic PoolVariable AssignAdvanced assignment of custom variables, configuration variables, or predefined session variables

 

Virtual KeyboardEnables a virtual keyboard on the web form-based logon page for entering credentialsSSO Credential MappingEnables Single Sign-On (SSO) credentials caching and assigns SSO variables

 

Citrix Smart AccessEnables Citrix SmartAccess filters when deploying with XenApp or XenDesktopRoute Domain and SNAT SelectionDynamic Route Domain and SNAT settings selection

 

LoggingLog custom messages and session variables for reporting and troubleshootingEmailConfigure Email messages for reporting

 

Message BoxCreate a custom message to display to the end user with prompt to continueDecision BoxCreate a custom decision page to display to the end user with two choices

 

Dynamic ACLAssignment of Access Control Lists (ACLs) retrieved from an external directory such as RADIUS or LDAPiRule EventRaises an iRule ACCESS_POLICY_AGENT_EVENT event for use with custom iRules scripts

 

EmptyCreates an Empty Action for constructing custom Branch Rules

 

Authentication

 

AD AuthActive Directory authentication of end user credentialsAD QueryActive Directory query to pull user attributes for use with resource assignment or other functions / Group Mapping

 

Client Cert InspectionCheck the result of client certificate authentication by the Local Traffic Client SSL profileCRLDP AuthCertificate Revocation List Distribution Point (CRLDP) client certificate authentication

 

HTTP AuthHTTP authentication of end user credentialsLDAP AuthLDAP authentication of end user credentials

 

LDAP QueryLDAP query to pull user attributes for use with resource assignment or other functions / Group MappingNTLM Auth Result CheckCheck the result of NTLM authentication of end user credentials

 

OCSP AuthOnline Certificate Status Protocol (OCSP) client certificate authenticationOn-Demand Cert AuthDynamically initiate an SSL re-handshake and validate the received client certificate

 

RADIUS AuthRADIUS authentication of end user credentialsRADIUS AcctSend accounting messages to a RADIUS server when users log on and off

 

RSA SecurIDRSA SecurID two-factor authentication of end user credentialsTACACS+ AuthTACACS+ Authentication of end user credentials

 

TACACS+ AcctSend accounting messages to a TACACS+ server when users log on and offKerberos AuthKerberos authentication, typically following an HTTP 401 Response action

 

OAMOracle Access Manager (OAM) authentication of end user credentialsSAML AuthSAML Auth using SAML Service Provider Interface

 

OTP GenerateGenerate One Time Passcode (OTP)OTP VerifyVerify One Time Passcode (OTP)

 

Client Side Checks

 

Antivirus CheckAntivirus Check for Windows, Mac and LinuxFirewall CheckFirewall Check for Windows, Mac and Linux

 

Windows File CheckWindows File CheckMachine Cert AuthWindows Machine Cert Auth

 

Windows InfoWindows OS InfoMachine InfoWindows Machine Info

 

Windows Process CheckWindows Process CheckRegistry CheckWindows Registry Check

 

Mac File CheckMac File CheckMac Process CheckMac Process Check

 

Linux File CheckLinux File CheckLinux Process CheckLinux Process Check

 

Client Side Actions

 

Cache and Session ControlWindows Browser Cache and Session ControlProtected WorkspaceWindows Protected Workspace

 

Windows Group PolicyWindows Group Policy

 

Server Side Checks

 

Client-Side Check CapabilityClient-Side Check CapabilityClient OSType of Client OS

 

Client TypeType of Client ApplicationLanding URICheck Landing URI

 

IP Subnet MatchCheck Client's IP SubnetIP Reputation CheckCheck Client's IP Reputation

 

Client for MS ExchangeCheck for client for MS Exchange Server, such as MS Outlook, etc. This action requires _sys_APM_ExchangeSupport_main or _sys_APM_ExchangeSupport_OA_BasicAuth iRule or _sys_APM_ExchangeSupport_OA_NtlmAuth iRule.IP Geolocation MatchMatch IP Geolocation

 

License CheckCreate branch rules based on license usage