Access Policy Manager® provides an alternative to the current form-based login authentication method. This alternative method uses a browser login box, which is triggered by an HTTP 401 response to collect credentials. The HTTP 401 response is generated by either SPNEGO/Kerberos or basic authentication challenges. This option is useful in situations where your user has already logged into the local domain, and you would like to avoid having to submit an APM HTTP form for collecting user credentials. The browser will automatically submit credentials to the server and bypasses the login box to collect the credentials again.
The benefits of this feature include:
To retrieve user credentials for end-user login, you may use basic authentication or SPEGNO/Kerberos methods or both.
Both methods require that an HTTP 401 Response action item be configured in the access policy and that the authentication method be specified in the action item. In cases where both methods are selected, the browser determines which method is performed based upon whether the system has joined a domain. The HTTP 401 Response action has two default branches to indicate whether basic authentication or Kerberos method is performed.
The end-user logon works with events happening in this order:
To set up this configuration, perform the procedures in the task list. You can choose to configure with either Basic authentication or Kerberos method.
This is an example of an access policy with all the associated elements needed to successfully support the end-user login feature. Notice that separate branches were created to support using either basic authentication or Kerberos method to retrieve user credentials.