Forum Discussion
CirrusSharePoint kerberos APM, logon page for no AD computer
Hi everyone,
We have internal SharePoint 2010 site with kerberos authentication with 2 kinds of computer : - computer joined to the same Active Directory as SharePoint Server : User don't need enter id/pwd to access to SharePoint's site (and we don't want to change this behavior). - Computer not joined to Active Directory domain : before accessing to SharePoint site, user get Windows pop-up authentication and need to enter Active Directory ID/Pwd to access to SharePoint's site.
I was wondering if there a way to replace Windows pop-up auth by f5 logon page for user with pc not joined to AD domain
Followed steps in the follwing article : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.htmlconceptid
Thanks for your help.
2 Replies
- Kevin_Stewart
Employee
First let's establish that if the client isn't domain-joined, no form of client side Kerberos can be used. You can, however, achieve Kerberos SSO (server side authentication) for those users. The bigger issue might be one of routing though. Do these non-domain-joined clients come from a different subnet? With different IPs? If these users are still internal, how would you direct just these users through APM, and not the domain-joined users?
Daniel_W_I just implemented something similar. To distinguish between domain joined and non domain systems, we do a PTR lookup on client ip in HTTP request. When the DNS name matches to a domain joined system, we go for 401 Auth, when not, we present form based login. I can present further details if needed.
