For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

PhetS's avatar
PhetS
Icon for Nimbostratus rankNimbostratus
Jun 26, 2024

Mix NTLMv2 & Kerberos SSO in the same policy for different sub-URL

Hello !

I got a special request and couldn't find a solution on how to address this...

e.g.

Following URL is secured by an APM policy using NTLMv2 as SSO (based on AD Auth)

https://acme.domain.com/url

 

Following subURL is requesting KERBEROS

https://acme.domain.com/url/suburl

 

For the moment the user need to authenticate 2x. The 2nd time through a Microsoft Popup.

With one of the main Issues being: if I logout and login again with a different user, there is no login requested for the kerberos part and the 1st user remains connected.


Any idea how I could solve this situation

BR
S.

apm sso
kerberos sso
ntlmv2

1 Reply

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Jun 26, 2024

    Hi, 

    - Review the Active session report for the first login attempt and validate that Kerberos works well and you can see the TGT or S4u Successful.
    - After the first attempt try to logout again and authenticate with another user and review Access report and check the NTLM authentication and Kerberos. 

    - Try this ( don't only logout from the application , I need you to kill the session then authenticate with the second user directly and check kerberos logs in the access reports ) 
    I think you should connect to the second user after killing active session.

     

    Don't forget to enable debugging for SSO and Access policy , to be able to see all logs and failures on Kerberos side.