Forum Discussion
NimbostratusSSO for webserver
Hi out there
I need an idea how I can awoid my users in cheating me.
I have a SSO setup where I through a client initiated webform do a SSO login to a webserver. After this the APM job is finished and I expected that my users now always had to go through the APM module to login to the webserver.
But - if I open a new windows in the browser and know the URL I can avoid the APM module because I already have a running session and get a login from the backend system. Can somebody give my some ideas how to always force the users to go through a login of the APM modul ? I don't want my users to be able to go directly to the webserver and login as another user...
Suggestions?
33 Replies
Essouktani_1165Hi all,
I have the same issue with APM and SharePoint Server.
When an external user connects to my F5 portal using a non-computer domain, he/she must tape the login and password twice (the second attempt with the domain), if he/she use a computer domain it work. IIS server on the SharePoint server use Windows authentication. Is there a way to force/configure BigIPAPM to send user credential to SharePoint server(IIS)?
Thank you in advance for your help.- Kevin_Stewart
Employee
These may be two different things. Are we talking about users being able to go around the LTM/APM and communicate with the servers directly, or users opening another window in the same browser session and bypassing the initial APM logon? - Essouktani_1165
Hi Kevein,
In my case, the end user (external user with any computer) should have access SharePoint through APM using the same browser window.
Regards
- Kevin_StewartYes, but are users now able to go around LTM/APM directly to the servers?
- Essouktani_1165
If you mean connect directly (without APM) to the server from internal network yes
- Essouktani_1165If the user is external, he must tape his/here credential twice, the first for APM and the second is for the web server.
- Kevin_StewartOkay, so you have two sets of users: external and internal. To prohibit internal users from going directly to the server, you would need to 1) force internal DNS to point to the APM VIP, 2) enable SNAT, and 3) set IP filters on the servers so that no HTTP traffic could get to it unless it came from the BIG-IP (self-IP).
For external users, and internal users forced through APM, you would need to create an SSO profile that takes the credentials from the APM logon page and posts them to the server's logon page. - Essouktani_1165
Thank you Kevin for posting.
What do you mean by SSO profile? I created a NTLM2 "SSO method" (as described here http://support.f5.com/kb/en-us/prod...g_sso.html ) and associted it to my Access policy on " Ad Auth Domain"
Regards
- Kevin_StewartOkay, so does the NTLMv2 SSO method/profile perform SSO to SharePoint? If so you should only have ONE authentication at the APM and then APM should be doing the logon to SharePoint. What part is not working?
tiwangHi Kewin
I discovered that I was able to open a new window in the same browser and hereby bypass the initial APM logon when I was logged on. Please be aware of that this hasn't anything to do with what the user Essouktani ha been writing in my tread here - even though they may be caused by the same problem.
When they logon to the APM SSO form and are logged on they are able to open another window in the same browser and then - if they know the URL - they can enter this and get to the logon screen of the webservers application which has been hidden by the SSO form. Hereby they can logon with an arbitrary user of their choice.
The SSO form is defined as SSO form Client initiated where I make use of some forms send by the webserver and this looks as if it works well. The authentication mechanism used here is a simple form which is authenticated against a MS SQL Servers users where the user fills in username and password in a simple form which then nis authenticated against a SQL serveres users.
I intercept this in the APM module and does a LDAP authentication against the DC in the domain instead and uses the username and password afterwards to do this authentication against the webserver for the user.
The idea here was that we would keep the application as it is (based on a 10 year old framework) and create a SSO form which also would give us possibilities to do token-authentication instead against a radius server. But if I cannot guarantee that the users are locked to the initial session created by the APM module the concept has failed..
What can I do?
best regards /ti
