Nimbostratus
NimbostratusHi Niels,
I have checked how the client environment operates for SSO with Azure Web Proxy, the solution is providing the client with two factor authentication then grant them seamless authentication to all the Web services, it is basically a proxy that redirect the requests from the cloud to Web servers in the datacenter and there is a connector that handle the Kerbores tickets with AD, the best article that can explain the solution can be found below: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-using-kcd
Also i have done a packet sniffer from the server side when the F5-LTM bypassed, to see that the client is including an authorization negotiate when it is requesting the service (Kerboras ticket and token has been seen in the Get request, which means that there should be a kind of pre-authenticating process between Azure and AD when the client start the session.
I think that F5-APM should be part of this Kerberos Constrained Delegation process but i am not sure how this can be done.
I would appreciate your assistance about the proper integration that should be done from F5 side.
Thanks again for your help, Muhannad