For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Saba_007_140621's avatar
Saba_007_140621
Icon for Nimbostratus rankNimbostratus
Apr 22, 2014

Windows security pop up for external URL

Hello Experts :)

 

We have 2 links for SAP Enterprise Portal published via the F5. One is an internal URL: abc.xyz.com for which SSO is required. Hence SPNego / Kerberos has been configured for this link & setspn -L gives this hostname as the output.

 

The external link: def.xyz.com is password based login; hence, should not use SPNego (SSO) & is correctly not part of the setspn -L output. However, when internet users access the external link they see the attached Windows Security Pop up.

 

 

I know this can be avoided by Browser settings; but since we don't have control over external browsers, we need to get rid of the pop up from our end.

 

Normally; if SPNego was used for def.xyz.com, users would see the above pop up...however; as mentioned, the setspn -L output just gives abc.xyz.com.

 

Is there some other setting (maybe someplace on the F5) where we could ensure that def.xyz.com does not use SSO (basically get rid of the Security pop up in some way)... (Whether the internet user selects Cancel or enters his Portal credentials, the regular Portal login screen appears...)

 

Please help advise.........

 

Thanks a lot !!! saba.

 

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 22, 2014

    Are you using APM? The popup is an indication that the client is receiving a 401 Unauthorized response from the server, most likely also a Negotiate authentication check. If you're using APM, you could split the policy based on client source address (among other things) and present the 401 for Negotiate/Kerberos authentication to internal clients, and a form to external clients.

     

  • ictjl's avatar
    ictjl
    Icon for Altocumulus rankAltocumulus
    Aug 05, 2015

    I'm running into a similar issue. Anyone have suggestions?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 16, 2015

    So just to clarify from the original post, are you getting the logon prompt for external (Internet) users only, or for all users?

     

    External users aren't ever going to be able to pass a Kerberos ticket, so you can either a) allow them to pass username and password credentials in the dialog for either NTLM or Basic auth, or b) filter on the client source address and do NOT try to do Negotiate auth for external clients.