Access Policy Manager® provides an alternative to the current form-based login authentication method. This alternative method uses a browser login box, which is triggered by an HTTP 401 response to collect credentials. The HTTP 401 response is generated by either SPNEGO/Kerberos or basic authentication challenges. This option is useful in situations where your user has already logged into the local domain, and you would like to avoid having to submit an APM HTTP form for collecting user credentials. The browser will automatically submit credentials to the server and bypasses the login box to collect the credentials again.
The benefits of this feature include:
This feature provides two methods to retrieve user credentials for login: basic authentication or a Kerberos method.
Both methods require an HTTP 401 response action. This particular action selects either one or the other, or both mechanisms. In cases where both are selected, the browser determines which method is performed based upon whether the system has joined a domain. The HTTP 401 response action has two default branches to indicate whether basic authentication or Kerberos method is performed.
The end-user login works with events happening in the following order:
To set up this configuration, perform the procedures in the task list. You can choose to configure with either Basic authentication or Kerberos method.
This is an example of an access policy with all the associated elements needed to successfully support the end-user login feature. Notice that separate branches were created to support using either basic authentication or Kerberos method to retrieve user credentials.