For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 16, 2014

One important thing to understand here is that the (web) client won't send a Kerberos ticket unless the server asks for it. This is generally in the form of a 401 response with a "WWW-Authenticate Negotiate" header. If the server sends a 401 with this header, and the client cannot comply (not a member of a domain), then the browser may attempt to failover to an NTLM prompt. This may not be what you want, and will certainly alter the existing form-based user experience. If you have clients that won't have Kerberos tickets, it may be best to evaluate these based on some known criteria, like IP subnet (ie. internal vs. external users). That way you could present a form logon for external users and 401 for internal users. If submitting via form, the APM logon page will by default populate the session.logon.last.username variable with the submitted name. If submitting via Kerberos ticket, upon successfully authentication, the user attribute will be stored in the session.logon.last.logonname as a userPrincipalName value (ex. bob.user@domain.com).