APM Kerberos authentication

It can...

2FA implies more than one type of identity attribute though.

what is the default protocol used for AD authentication..?

It depends. AD queries use Kerberos. APM client side auth can use Kerberos, NTLM, or even LDAP.

May be my question was not clear previously, what is the default protocol used by APM to authenticate a client with AD, will it negotiate with AD and use anyone of the above mentioned protocols(Kerberos, NTLM, or even LDAP).

How APM authenticates a client is completely dependent on how you define authentication in an access policy. For AD, those options can include:

• 401 and 407-based Kerberos authentication - where there client requests a Kerberos service ticket from the AD for access to a service. Here the client contacts the AD (via Kerberos negotiation).

   

• 401 and 407-based NTLM authentication - where APM presents an NTLM challenge-response to the client, and verifies the client's response against the AD. Here APM contacts the AD via NTLM/RPC negotiation.

   

• 401 and 407-based Basic authentication - where APM queries the AD via AD query (Kerberos) or LDAP query to validate a user.

   

• Forms-based authentication - where APM queries the AD via AD query (Kerberos) or LDAP query to validate the user.

   

There is no "default" method. You would choose which method(s) you want to use with clients.

Thanks kevin

To complete Kevin’s answer

• AD auth authenticate user with session variables

  session.logon.last.username

  and

  session.logon.last.password

• AD Query request user attributes with LDAP filter

  sAMAccountName=${session.logon.last.username}

  except if you customize the filter in VPE AD Query box.

You can provision these variables with

• logon pages
• 401 response pages
• variable assign box
• irules

When working with clientside Kerberos, ntlm, saml or oauth, the password variable is not provisionned because it is not received by APM.