For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

John_Reddington's avatar
John_Reddington
Icon for Nimbostratus rankNimbostratus
Jul 22, 2014

Seamless athentication to Webtop

Is it possible to authenticate to a webtop seamlessly using the AD credentials our users are already logged onto their machines with?   To qualify, we have a webtop, that when accessed, presents u...
BIG-IP Access Policy Manager (APM)
deployment
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 22, 2014

Not sure when SAML was introduced to the conversation, but that shouldn't matter. You can very simply create a client side Kerberos AAA authentication (401 and Kerberos Auth) at the beginning of the access policy evaluation).

 

  1. The user contacts the APM VIP.
  2. The APM VIP responds with a 401 Unauthorized message and WWW-Authenticate Negotiate header.
  3. The domain-joined user contacts its local DC/KDC to get a ticket for this service, and then returns to the VIP with a Kerberos ticket.
  4. The Kerberos Auth agent validates the Kerberos ticket and allows access.
  5. The access policy assigns the webtop and additional resources to the user.

You can do more or less the same thing with NTLM on the client side, but again it's a little more involved. Once the user is authenticated and has a webtop, there's also a session variable stored in the access policy, session.logon.last.logonname, that contains the user's AD UPN (ie. bill.user@mydomain.com). You can use this to do server side authentication, IdP-initiates SAML, etc.

 

Related Content