NTLM SSO for end-users in a AD domain

Question

Hi,
I have users which are already authenticated within the AD domain. My BIG-IP APM/LTM should do the following:&nbsp;
provide SSO to the backend server: the SharePoint server should see the user credentialsif a users is already authenticated against the AD, the user should not see any login prompt.I would like to use NTLM
There is a solution [http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-4-0/3.htmlconceptid]  but this is based on Kerberos.&nbsp;
Is this only possible with Kerberos or should NTLM work also?&nbsp;
My main concern is if with NTLM SSO to the backend is possible or not.&nbsp;

michael_koyfma1 · Answer

Yes, using NTLM on the front-end is possible - but because NTLM authentication cannot be proxied - meaning that APM does not get user's password during NTLM authentication - so regardless of whether you use Kerberos or NTLM to authenticate to APM, you will have to setup Kerberos Constrained Delegation on the backend for SSO.

michael_koyfma1 · Answer

https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication&nbsp;

embee_57573 · Answer

thanks Michael, great article. Learned about ECA which was new to me :)&nbsp;

Forum Discussion

NTLM SSO for end-users in a AD domain

3 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

DEVCENTRAL END-USER LICENSE AGREEMENT

NTLM

Customizing APM end user login page with APM Advanced Customization Templates

Configuring APM Client Side NTLM Authentication

Enriching AFM with public domain Threat Intelligence