mf5
Aug 27, 2018Nimbostratus
APM Kerberos authentication
Hello,
Presently we have webmail using 2F-authentication (AD & OTP)
i want to know whether client side authentication uses kerberos between APM and AD?
Thanks.
Hello,
Presently we have webmail using 2F-authentication (AD & OTP)
i want to know whether client side authentication uses kerberos between APM and AD?
Thanks.
It can...
2FA implies more than one type of identity attribute though.
what is the default protocol used for AD authentication..?
It depends. AD queries use Kerberos. APM client side auth can use Kerberos, NTLM, or even LDAP.
May be my question was not clear previously, what is the default protocol used by APM to authenticate a client with AD, will it negotiate with AD and use anyone of the above mentioned protocols(Kerberos, NTLM, or even LDAP).
How APM authenticates a client is completely dependent on how you define authentication in an access policy. For AD, those options can include:
401 and 407-based Kerberos authentication - where there client requests a Kerberos service ticket from the AD for access to a service. Here the client contacts the AD (via Kerberos negotiation).
401 and 407-based NTLM authentication - where APM presents an NTLM challenge-response to the client, and verifies the client's response against the AD. Here APM contacts the AD via NTLM/RPC negotiation.
401 and 407-based Basic authentication - where APM queries the AD via AD query (Kerberos) or LDAP query to validate a user.
Forms-based authentication - where APM queries the AD via AD query (Kerberos) or LDAP query to validate the user.
There is no "default" method. You would choose which method(s) you want to use with clients.
Thanks kevin
To complete Kevin’s answer
session.logon.last.username
and session.logon.last.password
sAMAccountName=${session.logon.last.username}
except if you customize the filter in VPE AD Query box.You can provision these variables with
When working with clientside Kerberos, ntlm, saml or oauth, the password variable is not provisionned because it is not received by APM.