Forum Discussion
Hi Kevin,
We just need the kerberos 'pickup' to be client side. The content servers aren't going to expect any authentication, they are firewalled off and only the F5 will be able to speak to them, so it's good enough to have the authentication happen when the client connects to the F5. All we need to verify is that the current user is a member of a particular 'OU', then the F5 should grant full access to the resource.
The two VIP idea is one we've experimented with for this solution already (just using a basic login page not kerberos), but we had some unexpected side effects. There are a couple of sub sites under this root web server which use SSL, but don't require authentication. As you'd expect, users trying to access those sites were all of a sudden prompted to log in.
I suppose we could disable the access policy for requests to those particular URLs\ using your suggested iRUle logic below?
when HTTP_REQUEST {
if { not ( [class match [stringt tolower [HTTP::uri]] starts_with my_uri_dg] ) } { ACCCESS::disable
Cheers,
Gavin