Forum Discussion

Gavin_Connell-O's avatar
Gavin_Connell-O
Icon for Nimbostratus rankNimbostratus
Sep 24, 2013

Authentication access policy for intranet site / APM Module

Hi there,

 

I've got a requirement for a new APM access policy, so I thought I'd field the question here. Has anyone got experience with the following type of requirements?

 

I've got an intranet site, the owners of which can't manage authentication at the web server side (for reasons that we won't go into for now...) So, they want the APM to manage it for them.

 

When a user hits the site/virtual server, they want to APM policy to do the following:

 

  1. When HTTP request is for a particular URi (for example /secure)
  2. Check for a currently logged in kerberos or NTLM session token in their session.
  3. If there is a kerberos token in the users session, run an AD/LDAP query getting their group memberships, and if they are a member of a particular group, grant them access to the requested resource.
  4. If there isn't a kerberos token, send them to an 'F5 Login page' and request AD auth and group checking before letting them in.
  5. All other Uri requests should just be allowed through. The authentication controls should only be enacted if the configured URLs are requested.

I'm fine with a standard access policy, but I haven't implemented Kerberos/NTLM SSO before. We want to capture the users currently logged on AD credentials and run an AD query on them. Obviously this will only work with domain joined PCs, that's what the second leg of the access policy is there for, to mop up not supported clients/browsers, or external users...

 

I'd be really keen to hear anyone's similar experiences or ideas. As I build up my design and implementation I'll share it here also. Hopefully we might all be able to learn something together! ;)

 

Cheers,

 

Gavin Connell-Otten

 

26 Replies