Forum Discussion
Nath
Cirrostratus
CirrostratusSetting up CAS server with certificate based authentication
Hi All,
Does anyone tried to use this or tried to done this kind of setup.
When I use the client and server ssl profile it always fail, but when I removed both client and server ssl profile...
Yann_Desmarest
Cirrus
CirrusHello,
This is a common scenario where you configure client cert authentication on the F5 VIP protecting the pool of CAS servers.
The client cert auth is feasible using LTM only by correctly setting up a client ssl profile.
But the Web SSO feature require APM module. If you ask only client certificate, so you must configure Kerberos Delegation on the BIG-IP and activate Kerberos authentication on the CAS servers.
I suggest you to add the UPN or the e-mail address of the user within the certificate so that by doing an AD query, you can retrieve all required attributes.
NathThanks I'm glad someone understand me. The UPN was included on the certificate that AD needed to vertfy. My problem is the clientSSL profile. I'm not really familiar the certificates and keys.- NathYann Hi, May I know if can do this using LTM only? As you said I just need to configure client SSL correctly.
- Yann_DesmarestHello, The kerberos delegation require APM to works. The SSL part can be achieved by LTM only
- Yann_DesmarestIf the client device use basic authentication, so you can make it works using LTM only. You just check for client certificate validation within the clientssl profile. On the clientssl profile you use on your VS, you must define a trusted CA, the same CA as Advertised CA (optional), a Depth (default value is ok) and optionally a crl file
