For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 19, 2013

mixing SSO methods, i.e. ntlm, basic http and kerberos

i was wondering if i can freely mix SSO methods with a webtop implementation. currently im using NTLMV2 and HTTP basic together by configuring different SSO profiles on the portal access resources. t...
BIG-IP Access Policy Manager (APM)
remote access
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Jul 03, 2013
it works now, don't quite understand if and if so why removing IP from the KDC field made it work, but it works now.

 

 

so i now have a webtop with three different types of SSO, working correctly together :)

 

 

thanks for the help Kevin.

 

 

for any others, a succesful Kerberos SSO looks like this in APM reporting

 

 

Websso Kerberos authentication for user 'user' using config '/DMZ/sso-profile'

 

\N: adding item to WorkQueue

 

sid: ctx:0x5961f370 server address = ::ffff:192.168.20.124

 

sid: ctx:0x5961f370 SPN = HTTP/hostname.domain.ext@DOMAIN.EXT

 

S4U ======> ctx: , sid: 0x5961f370, user: user@DOMAIN.EXT, SPN: HTTP/hostname.domain.ext@DOMAIN.EXT

 

 

in your packet trace towards the server on which Kerberos SSO is enabled you should see a GET request (if you perform a GET of course) with header Authorization: Negotiate and a big block of code for the auth information.