Security issue using two different authentication methods with the same ntlm domain (SSO)
Hello fellows,
I have run across a security issue with two web servers using the same ntlm domain for authentication (APM) on our F5 BIGIP Version 11.4.1.
ServerA contains critical information and may be accessed only using token based two-factor-authentication and windows authentication.
ServerB contains non-critical information that may be accessed using windows authentication with the same ntlm domain as ServerA.
Now, the problem is that after authenticating with ServerB no password nor token-code will be asked from the user when he connects to ServerA. He will be logged on without bothering requests! So, users bypass two-factor authentication if they log on to ServerB first. This is kind of security issue.
How can I achieve the following: A session cookie for ServerA may be used for SSO to ServerB, but a session cookie from ServerB does not provide access to ServerA?
Second best would be to oblige the users to log on to both servers separately.
Thanks for help! Alex