Forum Discussion

DenisGR_21754's avatar
DenisGR_21754
Icon for Cirrus rankCirrus
Feb 15, 2016

SharePoint kerberos APM, logon page for no AD computer

Hi everyone,

 

We have internal SharePoint 2010 site with kerberos authentication with 2 kinds of computer : - computer joined to the same Active Directory as SharePoint Server : User don't need enter id/pwd to access to SharePoint's site (and we don't want to change this behavior). - Computer not joined to Active Directory domain : before accessing to SharePoint site, user get Windows pop-up authentication and need to enter Active Directory ID/Pwd to access to SharePoint's site.

 

I was wondering if there a way to replace Windows pop-up auth by f5 logon page for user with pc not joined to AD domain

 

Followed steps in the follwing article : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.htmlconceptid

 

Thanks for your help.

 

APM
application delivery
kerberos

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 15, 2016

    First let's establish that if the client isn't domain-joined, no form of client side Kerberos can be used. You can, however, achieve Kerberos SSO (server side authentication) for those users. The bigger issue might be one of routing though. Do these non-domain-joined clients come from a different subnet? With different IPs? If these users are still internal, how would you direct just these users through APM, and not the domain-joined users?

     

  • Daniel_W_'s avatar
    Daniel_W_
    Icon for Cirrus rankCirrus
    Feb 15, 2016

    I just implemented something similar. To distinguish between domain joined and non domain systems, we do a PTR lookup on client ip in HTTP request. When the DNS name matches to a domain joined system, we go for 401 Auth, when not, we present form based login. I can present further details if needed.