Forum Discussion

Alexander_01_13's avatar
Alexander_01_13
Icon for Nimbostratus rankNimbostratus
Jan 10, 2014

Security issue using two different authentication methods with the same ntlm domain (SSO)

Hello fellows,   I have run across a security issue with two web servers using the same ntlm domain for authentication (APM) on our F5 BIGIP Version 11.4.1.   ServerA contains critical informat...
BIG-IP Access Policy Manager (APM)
deployment
microsoft
security
Alexander_01_13's avatar
Alexander_01_13
Icon for Nimbostratus rankNimbostratus
Jan 10, 2014

Yes, two different policies.

Would branching out based upon host header solve the sso problem? Still, a session cookie obtained logging on to ServerB would sso to ServerA, wouldn't it?

After a look at the session variables I found the following useful: In a two-factor authenticated session the variable 

session.securid.last.state
has the value 
SECURID_AUTH_STATE_ACCESS_ACCEPTED
. So, in an iRule I have to check that this variable is set and if not I will redirect to the login form.

Good idea?

Regards, Alex

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jan 12, 2014
    Yes, that's certainly a good and easy approach - check for the existence and value of that variable.. However, if you have two different policies why would this matter? Each policy would execute separately, unless you are setting a domain cookie -is that what you're doing?