Forum Discussion
CirrostratusSetting up CAS server with certificate based authentication
Hi All,
Does anyone tried to use this or tried to done this kind of setup.
When I use the client and server ssl profile it always fail, but when I removed both client and server ssl profile my testing works.
As per client. The certificate on the client side includes UPN User private name I'm not sure. Then the certificate needed to verified by their AD and the UPN is the reference of the AD. Once it is verified any server mail that will access by the client should be SSO due to its already verified by the client.
Thank you all.
11 Replies
Yann_Desmarest_Nacreous
Hello,
This is a common scenario where you configure client cert authentication on the F5 VIP protecting the pool of CAS servers.
The client cert auth is feasible using LTM only by correctly setting up a client ssl profile.
But the Web SSO feature require APM module. If you ask only client certificate, so you must configure Kerberos Delegation on the BIG-IP and activate Kerberos authentication on the CAS servers.
I suggest you to add the UPN or the e-mail address of the user within the certificate so that by doing an AD query, you can retrieve all required attributes.
NathThanks I'm glad someone understand me. The UPN was included on the certificate that AD needed to vertfy. My problem is the clientSSL profile. I'm not really familiar the certificates and keys.- NathYann Hi, May I know if can do this using LTM only? As you said I just need to configure client SSL correctly.
- Yann_Desmarest_Hello, The kerberos delegation require APM to works. The SSL part can be achieved by LTM only
Yann_DesmarestCirrus
Hello,
This is a common scenario where you configure client cert authentication on the F5 VIP protecting the pool of CAS servers.
The client cert auth is feasible using LTM only by correctly setting up a client ssl profile.
But the Web SSO feature require APM module. If you ask only client certificate, so you must configure Kerberos Delegation on the BIG-IP and activate Kerberos authentication on the CAS servers.
I suggest you to add the UPN or the e-mail address of the user within the certificate so that by doing an AD query, you can retrieve all required attributes.
- NathThanks I'm glad someone understand me. The UPN was included on the certificate that AD needed to vertfy. My problem is the clientSSL profile. I'm not really familiar the certificates and keys.
- NathYann Hi, May I know if can do this using LTM only? As you said I just need to configure client SSL correctly.
- Yann_DesmarestHello, The kerberos delegation require APM to works. The SSL part can be achieved by LTM only
- Smithy
Check out: https://devcentral.f5.com/articles/apm-cookbook-on-demand-vpn-for-ios-devices
Follow Steps 1 & 2 to setup the Client SSL Profile. Then add the On-Demand Cert Auth, start of step 3.5 & 3.6. You will need to perform a Kerberos SSO to OWA or ActiveSync. So have a look at https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos, replace Sharepoint with OWA.
