NTLM SSO across Virtual Servers behind multiple appliances
Hi all, I have several virtual servers across several environments that require Single Sine on. All applications on the back use NTLMv2 for the authentication. The challenge is to implement SSO between multiple LTM-APM appliances which do not know about each overs sessions. Is this even possible? Thanks
Multiple SSO Methods - or a better way to fill in a form?
I have an access policy that I'm using NTLM SSO on. I have users from multiple domains authenticating and accessing a sharepoint site. My access policy is pretty simple. I have a decision tree (asking which domain they are a member of) and then when they select domain1 it takes them to a logon page that has AD auth to domain1 with SSO credential mapping aftewards to get the NTLM to work. If they select domain2 it takes them to a logon page that has AD auth to domain2 with SSO credential mapping aftewards to get the NTLM to work. And this works great. Now, we have a need to offer some additional multi-factor authentication methods. Initially I wanted to do the initial authentication via the APM, however for security reasons it has been determined that it would be preferred if we could use our existing external IDP to do this. I went ahead and added a SAML auth after the SSO credential mapping so that we could use our external IDP (plus i already had SAML setup for this as originally we were going to use SAML auth and then kerberos SSO...but I had to scrap that b/c of issues with the multiple domains and some security concerns about the trust that was required to make kerberos work). And it works well. I put the webpage into a browser, I get directed to the f5 login page, I select my domain, I authenticate and then it takes me to the external IDP. I logon there and do the additional authentication and then get redirected back to the sharepoint site and everything works. The only thing I would like to change is since the user is putting their username and password in the initial logon page I'd like to make it so when they hit that external IDP that the username and password is populated into the web page. There's no reason to make them login with the same credentials twice. I believe that this is possible using SSO form (though I haven't been able to make that work) but the bigger issue here is that I believe I can only have one SSO method. So right now I have NTLMv2, and even if I could get the forms thing to work it would mean that then my users would get the pesky windows security prompt (since I would no longer have the NTLM SSO). So my simple question is this. Is there a way, within an access policy to fill in an external login page (irule maybe) other than changing the SSO method (since I need the SSO method to be NTLMv2)? Thanks!Mix NTLMv2 & Kerberos SSO in the same policy for different sub-URL
Hello ! I got a special request and couldn't find a solution on how to address this... e.g. Following URL is secured by an APM policy using NTLMv2 as SSO (based on AD Auth) https://acme.domain.com/url Following subURL is requesting KERBEROS https://acme.domain.com/url/suburl For the moment the user need to authenticate 2x. The 2nd time through a Microsoft Popup. With one of the main Issues being: if I logout and login again with a different user, there is no login requested for the kerberos part and the 1st user remains connected. Any idea how I could solve this situation BR S.
