Access Policy Manager® (APM®) provides an alternative to a form-based login authentication method. This alternative method uses a browser login box that is triggered by an HTTP 401 response to collect credentials. A SPNEGO/Kerberos or basic authentication challenge can generate a HTTP 401 response.
This option is useful when a user is already logged in to the local domain and you want to avoid submitting an APM HTTP form for collecting user credentials. The browser automatically submits credentials to the server and bypasses the login box to collect the credentials again.
The benefits of this feature include:
To retrieve user credentials for end-user logon, you can use basic authentication or SPEGNO/Kerberos methods or both.
Both methods require that an HTTP 401 Response action item be configured in the access policy and that the authentication method be specified in the action item. In cases where both methods are selected, the browser determines which method to perform based on whether the system has joined a domain. The HTTP 401 Response action has two default branches to indicate whether basic authentication or Kerberos method is performed.
How SPNEGO/Kerberos end-user logon works
The end-user logon works with events happening in this order:
To configure Kerberos authentication, you must meet specific configuration requirements as described here.
To set up this configuration, perform the procedures in the task list.
This is an example of an access policy with all the associated elements needed to successfully support the end-user login feature. Notice that separate branches are created automatically to support using either basic authentication or Kerberos method to retrieve user credentials.
Example access policy for end-user login
Example properties for an HTTP 401 response action
Example properties for a Kerberos Auth action on the Negotiate branch
You might choose to verify Kerberos authentication configurations in some instances. Use these troubleshooting tips to help resolve any issues you might encounter.
From the command line, use the klist command as shown in this example.
klist -ke WRFILE:/config/filestore/files_d/Common_d/kerberos_keytab_file_d/\:Common\:SUN-SPNEGO-APM106_key_file_2
The output for the example contains information like this.
Keytab name: FILE:/config/filestore/files_d/Common_d/kerberos_keytab_file_d/:Common:SUN-SPNEGO-APM106_key_file_2 KVNO Principal 3 HTTPemail@example.com(arcfour-hmac)
kinit HTTPfirstname.lastname@example.orgYou are prompted for a password and should receive a ticket (no output, no error).
From the command line, type klist . Here is sample output: /etc/krb5.conf
Make sure the client sends the ticket to the BIG-IP® system; this verifies that the client setup is successful.