Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 19, 2013

mixing SSO methods, i.e. ntlm, basic http and kerberos

i was wondering if i can freely mix SSO methods with a webtop implementation. currently im using NTLMV2 and HTTP basic together by configuring different SSO profiles on the portal access resources. t...
BIG-IP Access Policy Manager (APM)
remote access
security
dryk_00's avatar
dryk_00
Icon for Nimbostratus rankNimbostratus
Jun 18, 2015

HEllo, is it possible to share how policy should look like for both aaa (client side) and sso (server side) authentication?

 

I am struggling with implementing such a flow:

 

User ------ any page except sso-login.htm ----> Big Ip ------ any page ---> server

 

User <----- response ----------------------------- BigIP <------- response ---- server

 

User ----- sso-login.html ------> BigIp User <----- 401 Negotiate-------- BigIp (if no valid previous kerb-Auth-ok cookie found)

 

User ----- TGT ---------------------> BigIP -------- request sso-login.htm ----> server

 

BigIP <-------- 401 Negotiate ----> server

 

BigIP -------- TGT as user ----> server User <---- response with kerb-Auth-Cookie -- BigIp <------- response --- server (if kerb auth OK