Understanding F5 APM and NTLM Auth

Question

Right now I'm trying to implement a solution that will do the following:&nbsp;
Internal User goes to our SSO portal sso.corp.com I don't want this to prompt internal users for credentials (from the sso portal) (using article Leveraging BIG-IP APM for seamless client NTLM Authentication)&nbsp;
Question why can't I just use the 401 element in APM instead of doing the whole NTLM account/config? Is it due to the fact that we are trying to silently trying to authenticate the user instead of presenting the challenge prompt?&nbsp;

kevin_stewart · Answer

First, let's separate client side authentication from server side. These are two separate processes that are not necessarily intertwined. NTLM is a challenge/response protocol. The server sends a 401 message indicating it wants the client to present credentials, and in the NTLM process, the client sends back (more or less) a hash of its password to the server to prove that it knows the password. That's pretty straight forward on the server side (SSO) because APM (the client in this case) has the password and just has to generate this hash. But on the client side, APM is the server. It'll send the 401 to request authentication, and the client will summarily send the hash, but without the NTLM account/config stuff, it has no way to verify the hash.

kevin_stewart · Answer

The funniest part is I have seen a couple of users post solution (including myself) that has used the 401 block in the VPE. &nbsp;

I'm guessing the 401 agent would pass the request straight through, given that the client is already sending an Authorization header.&nbsp;

julio_navarro · Answer

Hi KJ!&nbsp;
Are you able to implement Leveraging BIG-IP APM for seamless client NTLM Authentication in your LTMs?
I am running 11.6 Hotfix with no luck.
I am getting issues authenticating with the AD:
init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 10.10.10.5&nbsp;
Please advise
Thank you&nbsp;

naheed_195234 · Answer

Hi J. Navarro,&nbsp;
Do you have any updates on the issue you were having? We are experiencing the exact same and the is effecting user access to certain services...&nbsp;
Thanks!&nbsp;

julio_navarro · Answer

Hi Naheed!
Our domain name (mydomaincorp.com) is different from realm domain (mydomain)
NTLM process in the LTM was getting confussed - it strip down the domain name - mydomaincorp and was trying to authenticate with it as if was the realm domain.&nbsp;
For example: john@mydomaincorp.com -&gt; mydomaincorp/john&nbsp;
F5 will have solution solved for version 12.&nbsp;
At the end, I decided to use this method:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html&nbsp;
Hope this helps.&nbsp;

Forum Discussion

Understanding F5 APM and NTLM Auth

5 Replies

Recent Discussions

Need help on i-rule to specific uri path

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Related Content

Understanding iApps

NTLM

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Understanding Modern Application Architecture - Part 1