Forum Discussion
Al_7443
Jul 05, 2018Nimbostratus
Perhaps consider using the APM module to present a form-based logon to your clients that fail Kerberos. APM will use delegation to go and get a Kerbers ticket for your users, and proxy them onto the protected app. This way you still get AAA without compromising your security.
This article steps you through the concepts and configuration
https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos
If you -really- wanted to make a bad security decision, you could use an iRule to check for an OSX/Ipad user-agent header, and set the Kerberos header.