Forum Discussion
djzoidberg_2313
Nimbostratus
NimbostratusWindows credential with APM
Hi all,
my boss has ever good ideas to destroy my happiness and he ask me to create a SSO system to access on a HTTP page using windows logon credentials without show at the users the login from.
I h...
It sounds to me like you want to use APM and use Kerberos Auth (SPNEGO) which has the client get a ticket from the domain server directly and then send that ticket to the APM. Then you can put your webserver in a pool behind the Kerberos auth APM. No popup will be shown as long as your browser is configured to send Kerberos auth on a 401 (the method of configuring this is different in IE or Firefox, but you can likely push out the IE config via group policy).
Here is the guide for the APM configuration part:
djzoidberg_2313Hi Josiah, thanks for answer. I have a correlated question. This method can be used if I have a web application server out of my domain but is able to talk with Active Directory? I try to explain better. The web page is hosted by a cluster of Cisco Call Manager (I'm talking about self care portal) and this servers, balanced by LTM F5, aren't joined on the domain but they talk with AD for authentication of the users. In this case, I think, kerberos isn't the right way. It could make sense?- Well, if your boss is ok with a logon page on the APM, you can use whatever SSO you want to the backend servers. If you don't want to enter anything in a logon page or a popup, then you want client certs, or kerberos spnego, or you could even do NTLM or Basic Auth. I think you need to definitely clear up your boss' requirements regarding what applies to front-end (client to f5) and what applies to backend (f5 to servers), and what type of auth your servers use (if any)
