Forum Discussion

Dev_56330's avatar
Dev_56330
Icon for Cirrus rankCirrus
Oct 31, 2017

Does the BIG-IP RDP Gateway Support Kerberos SSO?

Per the overview for configuring APM as a gateway for Microsoft RDP clients, it states "Only NTLM authentication is supported. This access policy should verify that NTLM authentication is successful and must assign an additional access policy to use for resource authorization throughout the session."

 

With that, within the F5 supported iApp () one option states "To use client NTLM authentication, you must correctly configure Kerberos delegation in the Active Directory domain where Remote Desktop users will be authenticated."

 

I'm confused as to what this even means. How is Kerberos delegation implemented if only NTLM is supported based on the "configuring APM as a gateway for Microsoft RDP clients" support page? Any clarification is much appreciated. I am trying to configure a full webtop with RDP session host resources and perform SSO for users who authenticated to the webtop using user certificates. I am currently testing with 13.0.

 

APM
application delivery
LTM
security

1 Reply

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 14, 2017

    "To use client NTLM authentication, you must correctly configure Kerberos delegation in the Active Directory domain where Remote Desktop users will be authenticated"

     

    this means that if you configure NTLM authentication on client side, APM can't know the user password. So if you want SSO to the backend server, the only available SSO is Kerberos SSO using Kerberos delegation feature.

     

    this is the same requirement every time client side authentication don't provide user password.

     

    I'm not sure kerberos SSO is available in version 13 and earlier for RDP.