Forum Discussion

Martin_Foidl's avatar
Feb 04, 2016

LTM+APM SSO only for designated Subnets

Hi,

 

we have a Problem we have configured a virtual server with an access policy and NTLM-SSO. We use the authentication only for users of pubic subnets. If a user comes out of a private subnet we do not present a logon page so that the user get passed through and the browser takes the credentials out of the browser for SSO on the site (Sharepoint in my case)

 

This works but for users where i don't have a logon-page and a SSO mapping i get the error message in the APM log "Could not find SSO username, check SSO credential mapping agent setting". Also depending on the client there are opened up to 30! apm sessions per client

 

So my question: How can i supress this message and get only one session per client?

 

Thanks for your answers

 

Martin

 

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account

    The error just means the SSO credential mapping object in the VPE is looking for a session variable which isn't set (in this case last logon username). So you'd have to edit the SSO credential mapping object to get the username from a session variable which actually exists.

     

  • Thanks Josiah,

     

    and this is where the problem begins ..... ;)

     

    I don't have a session variable where i can write in the credentials because i only pass them through so that the user does not have to enter credentials in a webtop form. We have this because we want external users to get pre-authenticated (Form-based) and internal users to just get passed through! So the main problem is that i need the SSO configuration on the VS for the external users but for internal users i does not need it because they get only passed through.

     

    I've attached an image of the policy below.

     

     

    Thanks Martin

     

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account

    Thanks, that picture clears things up.

     

    You need to disable sso then for the internal case. Just add an irule event trigger and have an irule disable sso (WEBSSO::disable)

     

  • I think I am doing something wrong writing the iRule

     

    I created an iRule "xxx" containing

     

    when ACCESS_POLICY_AGENT_EVENT {

     

    set WEBSSO::disable }

     

    Then I added the iRule Event in a Box with the ID xxx in the VPM and attached the iRule to the VS but it will not work :/

     

    in LTM Log I get

     

    TCL error: /REVERSE_PROXY/apm_disableSSO - can't read "WEBSSO::disable": no such variable while executing "set WEBSSO::disable"

     

  • Hi,

    WEBSSO::disable must be applied to every request and not when user authenticate...

    the best way is to disable APM base on IP address in an irule:

    when HTTP_REQUEST {
        if { [IP::addr [IP::local_addr]/8 eq 10.0.0.0] || [IP::addr [IP::local_addr]/12 eq 172.16.0.0] || [IP::addr [IP::local_addr]/16 eq 192.168.0.0]} {
            ACCESS::disable
            return
        }
    }
    
  • Hi and thanks to all 🙂

     

    You brought me to the right way to solve this 🙂

     

    I had to modify the code of Stanislas a litte bit but for this it works and my logs are not flooded anymore with useless entries!

     

    Code:     
    when HTTP_REQUEST {
    if {  [IP::addr [IP::local_addr] equals "164.3.0.0/16"] || [IP::addr [IP::local_addr] equals "172.16.0.0/12"] || [IP::addr [IP::local_addr] equals "192.168.0.0/16"] || [IP::addr [IP::local_addr] equals "10.0.0.0/8"]} {
        WEBSSO::disable
        return
    }
    }
    

    Thanks Martin