Forum Discussion

Dave_Hart_85_14's avatar
Dave_Hart_85_14
Icon for Nimbostratus rankNimbostratus
Apr 09, 2015

How do I use NTLM client side SSO for two active directory domains?

I have setup NTLM client side SSO to gather user credentials by following the Article "Leveraging BIG-IP APM for seamless client NTLM Authentication".

 

I now need to have this setup work for two domains. I'm assuming I will need to identify which domain the client is in by using the ip address or the windows info from the edge client. How do I modify the irule that processes the NTLM info so it works for two domains? Do I need to setup two VIPs each with their own irule?

 

Has anyone else tried this setup?

 

APM
application delivery
design
devops
iRules
security

6 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Apr 10, 2015

    Yes, it's possible to accommodate. You would need to repeat the instructions in the article to have APM join second domain and create an account there. Basically, create NTLM MAchine Account and NTLM Auth objects for the second domain. Then the tricky part comes in modifying the irule. The NTLM AUth object used is currently hardcoded here:

     

    set static::appname_ntlm_config "/Common/appname_ntlm_config"

     

    Then the variable is being used in this command:

     

    ECA::select select_ntlm:$static::appname_ntlm_config

     

    You probably want to replace the ECA::select command with an if statement that will set the name of the NTLM auth profile based on the source IP of the connection.

     

    • Dave_Hart_85_14's avatar
      Dave_Hart_85_14
      Icon for Nimbostratus rankNimbostratus
      Apr 10, 2015
      Thanks Michael I will give that a try. Using the IP address to determine what domain the PC belongs to will work for desktops but not roaming devices. Is there a way to present a login prompt if the device is connecting from a IP address that isn't defined in the irule?
    • Michael_Koyfma1's avatar
      Michael_Koyfma1
      Icon for Cirrus rankCirrus
      Apr 10, 2015
      It's dangerous - if you do that, you will end up in a an infinite loop. Another thing you can do is to you can force to run Windows Checker on the device and you can extract which domain the device belongs to - and you can use that info to select the right NTLM profile to be used.
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Apr 10, 2015

    Yes, it's possible to accommodate. You would need to repeat the instructions in the article to have APM join second domain and create an account there. Basically, create NTLM MAchine Account and NTLM Auth objects for the second domain. Then the tricky part comes in modifying the irule. The NTLM AUth object used is currently hardcoded here:

     

    set static::appname_ntlm_config "/Common/appname_ntlm_config"

     

    Then the variable is being used in this command:

     

    ECA::select select_ntlm:$static::appname_ntlm_config

     

    You probably want to replace the ECA::select command with an if statement that will set the name of the NTLM auth profile based on the source IP of the connection.

     

    • Dave_Hart_85_14's avatar
      Dave_Hart_85_14
      Icon for Nimbostratus rankNimbostratus
      Apr 10, 2015
      Thanks Michael I will give that a try. Using the IP address to determine what domain the PC belongs to will work for desktops but not roaming devices. Is there a way to present a login prompt if the device is connecting from a IP address that isn't defined in the irule?
    • Michael_Koyfman's avatar
      Michael_Koyfman
      Icon for Cirrocumulus rankCirrocumulus
      Apr 10, 2015
      It's dangerous - if you do that, you will end up in a an infinite loop. Another thing you can do is to you can force to run Windows Checker on the device and you can extract which domain the device belongs to - and you can use that info to select the right NTLM profile to be used.