Passing user credentials to APM

Question

Hello everyone,&nbsp;
I was wondering if there is a way to pass user credentials to my f5 apm automatically from a user that is logged onto our domain. For example if I have a user that Is logged into his machine and my f5 apm is authenticating that user against ACtive Directory, then Is there any way I can browse to the f5 apm login page and it seemlessly logs me in and presents me with the applications I have available to me, as I have already logged into the domain by logging in on the machine? &nbsp;
Or for example if I have an intranet site hosted on sharepoint for example that is authenticated using ntlm, then sharepoint already knows who I am... So when I click a link that points to my f5 apm portal off of my intranet the f5 will already know who I am because sharepoint has already authenticated me, and present me with my dynamic list of applications?&nbsp;

embee_57573 · Answer

You should look at kerberos authentication, see The manual.&nbsp;

roo_150490 · Answer

Thanks for the response... So would this still pass credentials onto applications on my webtop that use authentication methods such as saml backed off to the same AD, ntlm and those applications that don't support any type of sso, just load up their respective login pages?&nbsp;
I have tried reading the Kerberos parts previously... And am still confused hence trying to work backwards from what I would want an end user to experience to ascertain whether the apm could do this for me for starters.&nbsp;

embee_57573 · Answer

Of you Use kerberos delegation, The f5 Will Will get an Ad account with delegation richts. IT Will spend The username back to the sharepoint server, but not with pw credentials.
You could try to get all Apps om kerberos.&nbsp;

embee_57573 · Answer

You should Point your users to start at The APM. There they login and go from There. You need to cache The users credentials which you Will not be able to extract from Any cookie or token ( that would be a security breach)

matt_dierick · Answer

Hi Roo,&nbsp;
If I understand your use case, it's for an internal usage only. No internet publishing ? Correct ?&nbsp;
Regarding your fist request, APM uses kerberos or NTML authentication for that. If your laptop and you are in the domain, the APM policy will request the windows authentication to the laptop and you will be authenticate to the APM seamlessly. And you will see your application on the webtop. You can enable SSO for these apps as well (https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos).&nbsp;
Regarding your second request. More challenging. APM does not have any connector with your application regarding session opened. So, if the user already has a Sharepoint session opened, APM is not aware of, so APM will present the authentication (logon page, 401 ...). But if kerberos or NTLM auth is enabled on APM, it should be seamless for the user.&nbsp;

Forum Discussion

Passing user credentials to APM

6 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Leaked Credential Check with Advanced WAF

Passing Arguments to iCall Scripts

DEVCENTRAL END-USER LICENSE AGREEMENT

SWG, Kerberos Auth and identify users by credentials

Creating a Credential in F5 Distributed Cloud for Azure