Forum Discussion

elastic_82555's avatar
elastic_82555
Icon for Nimbostratus rankNimbostratus
Apr 26, 2013

kerberos and ntlm authentication using APM

Hi,   I have setup sharepoint 2010 iApp, using NTLM authentication and it is working well(using the F5 login page), however, I now have a requirement to use kerberos authentication, as well...
app sec
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 19, 2014

I would only add here that for you to be able to pass SPNEGO through an LTM VIP, the FQDN the client sees - the VIP address (A or CNAME record) must match the SPN of the Keberos-enabled service behind the LTM. For example, if the client browser contacts "http://www.domain.com", and subsequently receives a 401 response from the server behind the proxy, the client browser will attempt to request a Kerberos ticket for the SPN "HTTP/www.domain.com". If by chance the KDC has a resource by that name, it'll issue that ticket to the client, which will pass the server's portion back through the proxy to the server. If the server itself does not "own" the HTTP/www.domain.com SPN, then it will not have the encryption key necessary to decrypt this token. That scenario would apply to any Kerberos-enabled environment, including SharePoint.