NTLM SSO across Virtual Servers behind multiple appliances

Can you clarify your question? If I'm understanding you correctly, you are looking to ensure that end users have SSO to all of the applications. If that is the case, then it shouldn't matter how many LTM+APM appliances there are in the mix, as each session would be individually setup for SSO.

My virtual servers do not live on the same Big-IP unit. They are scattered across several physical appliances all running 11.6. How is it possible to for one LTM+APM know what is in the session variables of an over LTM+APM? Where will it obtain values for password variable for instance?

I don't think this is possible. session database and or cookies is not shared between F5's outside of a HA pair.

Sorry Alex, I'm still not completely understanding. Each LTM+APM appliance maintains a unique session for the services it provides. You can SSO to one appliance, and at the same time SSO to another appliance for a separate service. Where exactly is the issue you are experiencing?

I guess Alex wants to achieve the following scenario:

 

User wants to connect to application1, which is behind LTM/APM1. There APM displays logon mask, because it's a new session. Then APM performs authentication towards whatever and the makes SSO towards application1.

 

Now the same user wants to connect to application2, which is behind LTM/APM2. Here the user prefers to don't get any logon mask and that his SSO information from application1 will be used automatically.

 

I also would agree with Rabbit23, that such a setup is not possible. But I would be very interested in the solution if I'm wrong here.

 

Ciao Stefan :)