For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

11 Replies

  • Harry1's avatar
    Harry1
    Icon for Nimbostratus rankNimbostratus
    Jan 01, 2018

    i have configured a IIS server with windows authentication option. can i configure SSO here ? at present it is asking password once i click on published link under webtop link. i have configured kerberos sso but still web page is asking credential after entering with successful AD login in APM policy page..

     

    anyone can help me out ?

     

  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus
    Jan 01, 2018

    Kerberos SSO can be a bit fiddly to get working.

     

    Something that helped me out last time I worked with Kerberos SSO was chapter Kerberos Authentication with End-User Logons from the APM Authentication and SSO guide.

     

    Also, check out this article here on DC, APM Cookbook: Single Sign On (SSO) using Kerberos

     

    Verify that SPNs are configured correctly for your web servers. This Microsoft KB might have a few tips, How to use SPNs when you configure Web applications that are hosted on Internet Information Services

     

    /Andreas

     

  • kolom_265617's avatar
    kolom_265617
    Icon for Cirrostratus rankCirrostratus
    Jan 02, 2018

    You can use Auction Site , which is being used as a testing server for ASM Labs. Doing so you can test form based SSO.You can also setup a Lab exchange server to test NTLM + Kerberos SSO.

     

    • Harry1's avatar
      Harry1
      Icon for Nimbostratus rankNimbostratus
      Jan 02, 2018

      Exchange setup is very lengthy procedure that is why i chose IIS server.

       

  • kolom's avatar
    kolom
    Icon for Altostratus rankAltostratus
    Jan 02, 2018

    You can use Auction Site , which is being used as a testing server for ASM Labs. Doing so you can test form based SSO.You can also setup a Lab exchange server to test NTLM + Kerberos SSO.

     

    • Harry1's avatar
      Harry1
      Icon for Nimbostratus rankNimbostratus
      Jan 02, 2018

      Exchange setup is very lengthy procedure that is why i chose IIS server.

       

  • Nicolas_Destor's avatar
    Nicolas_Destor
    Icon for Cirrostratus rankCirrostratus
    Jan 02, 2018

    Check the 401 HTTP request message send by your IIS server, what is the value for WWW-authenticate attribute? Should be "Negociate" for Kerberos. For basic's authenticiation the value is "Basic", seems to be the case here for you.

     

    If ok i advise you to activate debug mode for APM, and check if SSO profile is well invoke when you access your website in /var/log/apm.

     

  • Harry1's avatar
    Harry1
    Icon for Nimbostratus rankNimbostratus
    Jan 02, 2018

    i tried to activate debug logs but not getting kerberos related logs here.

     

  • Nicolas_Destor's avatar
    Nicolas_Destor
    Icon for Cirrostratus rankCirrostratus
    Jan 03, 2018

    You SSO profile seems not invoked in that case. Never tried Keberos sso, but for other sso method i always saw logs. For example for HTTP-form sso:

     

    Jan 3 15:59:21 FW-xxx debug websso.1[15127]: 014d0001:7: constructor Jan 3 15:59:21 FW-xxx debug websso.1[15127]: 014d0001:7: webssoContext constructor ... Jan 3 15:59:21 FW-xxx debug websso.1[15127]: 014d0001:7: ssoMethod: form-based usernameSource:

     

    Check your Access profile configuration, make sure your sso profile is well applied.