Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)
In previous articles, we have discussed the use of F5 BIG-IP as a SSL VPN and then followed up by adding endpoint security to the same Access Profile configuration we used for VPN access. I now wante...
Published Jul 10, 2018
Version 1.0
Hi Joe! No need to be concerned about the "Password from Logon Page" and to be honest the credentials that are going to be used are obtained from the Kerberos SSO profile. Below is a screenshot of my current vpe supporting smart card/certificate based authentication.
From there we need to validate what we are using in our Kerberos SSO profile is actually being obtained.
Enable Debug logging and you can see all of the session variables and if any you are expecting that maybe were not populated.
Then after successfully authenticating using KCD they yes after validation the "lastLogonTimestamp" is updated.
I only support the DoD and intel agencies so this is what I do on a fairly common basis. If you need any help at all please do not hesitate to reach out. Hope this helps!