APM: OWA Two factor authentication Issue
Hello, - I've exchange 2010, we needed to add APM mainly to add 2FA on OWA, but don't want to pass any other service (outlook, Active Sync, ...) to 2FA baranch, the OWA worked fine as expected, but for outlook it keeps sending authentication pop-up window, even when I enter the username and password it sends the popup window again. I can see from the capture that the 401 HTTP response is coming from F5! the issue disappears when I remove the access policy. Normal Pass before adding 2FA login page >> AD auth >> SSO mapping >> allow after adding 2FA landing URI (/Owa & /owa/) >>brnach1>> logon page >> ADP auth >> variable assign >> RSA logon >> RSA auth >> variable assign >> SSO mapping >> allow `` `>>branch2>> allow` any help to bypass all service from Access policy, noting i tried all solution including disabled access policy inside template default irule!!
Outlook Anywhere 2 Factor Authentication
Hello, since there is no native support for 2FA by Outlook Anywhere I'm wondering if it's possible to set up 2FA with SAML. For example, Outlook is connecting and authenticated by the NTLM Auth object. After this AD query finds users mobile number from AD, SAML is triggered and a iRule sends a SMS with a "magic link". The user has to open this link on his smartphone and the session is allowed. The link refers to the BigIP as SAML service provider. Something like Ping Identity does without external service provider and mobile app where you have to confirm your ID by sliding over. What do you think? Is this possible or have someone did a scenario like this already? Cheers
VDI Access Policy
I've used the Horizon View iApp to secure access to our VDI environment but I have a query regarding the access policy. During the build I said 'no' to SecureID as although I do want 2FA we are using Radius. So now I want to add 2FA auth onto the access policy. For the browser logons this is simple as I added a 3rd password field and used a variable assign to switch the fields as neccessary for either AD or Radius auth. For the client logon page though there does not seem to be an option to add a 3rd password field. My only option is to select from a dropdown whether I want the form to support Windows, RSA, Disclaimer, Radius or Smart Card. I could do the Radius auth, come back to a 2nd logon page for AD credentials, then to AD auth, but as with the browser logon I'd much prefer if this could be done on a single page. Is this possible? As a side note - why on earth does the iApp tempalte only support SecureID as a 2FA method?
F5 APM and DUO Security protecting external website access with 2FA
We want to protect external website's login page with 2FA using DUO Security. We already have similar setup for OWA which works OK but this is all internally. Our F5 APM is doing AD authentication and then opens DUO iFrame page with 2nd step options i.e. DUO Push. Once authenticated with DUO Push it opens OWA page, job done. I have now built another virtual server, using same AD authentication as in above example and I need to open external website with DUO iFrame to continue with authentication and login. How do I take it to external website, do I need new webtop pointing there?Force Access Policy Depending on User
I currently have a Vs for SharePoint with no Access Policy as it only deals with trusted domain joined clients. It does have a couple of iRules; one regarding NTLM (I think to facilitate single sign-on although I didn't build this) and the second assigns a pool based on the requested URL. Our organisation has partner organisations and whilst their username UPN suffix is different we're all members of the same AD. For example I am me@org1.com and the partner organisation is them@org2.com. A requirement has arisen now whereby the partner organisation wish to put 2FA in front of the SharePoint application but I don't want to do this for everyone in the AD. Is it possible then to force some kind of policy/rule/profile that only kicks in when a user e.g. "ORG2\them" attempts to access SharePoint without forcing everyone to go through a log on process?
