Hello, I configured an F5 App using Kerberos Authentication along with Azure AD. But at the moment I want to make the same App ready for NTLM Auth using Azure AD. Reference Doc I am following is this. Question is how/what I need to modify to change it to NTLM Based from Kerberos Based Application. https://blog.azureinfra.com/2019/04/29/f5-big-ip-aad-basic-ntlm/

can't tell you from my mind fully, but as you already have Azure AD setup with Kerberos working and you have a good guide for Azure AD setup with NTLM, can't you compare the two and work it out? or even build the NTLM one next to your current one and move over once it works? the big difference will be that you need to ask for the password as that is needed for NTLM and not for Kerberos. your SSO object will change from Kerberos to NTLM or Basic as shown in the page you. Which means your backend server will also need to allow one of those.

Actually Kerberos one was not working it was setup and when tested it did not work and Backend App was not ready for Kerberos hence whatever configured for Kerberos trying to move to NTLM. When user tries it shows error as attached. Please advise if you get a hint from it. One quick note is when user tries they get the Microsoft Landing page , they try to authenticate using email address and I have been told they have to try using email address as user name. However user tested with "DomainName\Username" it did not work too. Azure side they see the log for Authentication as passed but I see error at F5 side as attached. I will also match as you mentioned above.

a quick search on the error throws up a couple of possible leads, this one seems most useful to check: https://www.devcentral.f5.com/s/question/0D51T00007HRNdd/authentication-via-azure-ad-blocked-by-access-policy

Hello , After I do medadata import / export manually seems application is accessible with some caveats. I need to fix it. Problem now user gets too many authentication ask Once when user tries to connect for 1st time ( user get microfost online link ) Then user is presented with F5 Form , interestingly user name field is Non-Editable and not even show the username Then from application interface username / password form is presented. I attached APM Log and APM Policy screenshot if it helps. I also checked that if user put wrong password at F5 Form it does not allow to move forward. Question is why user is authenticated 3 times and how I can resolve it ? APM Log says " Could not fine SSO username, check SSO credential mapping agent setting" no idea why it shows this error and does it give any clue ?

Configure NTLM Based App with F5 and Azure AD

18 Replies

boneyard
MVP
Feb 27, 2021
can't tell you from my mind fully, but as you already have Azure AD setup with Kerberos working and you have a good guide for Azure AD setup with NTLM, can't you compare the two and work it out?

or even build the NTLM one next to your current one and move over once it works?

the big difference will be that you need to ask for the password as that is needed for NTLM and not for Kerberos. your SSO object will change from Kerberos to NTLM or Basic as shown in the page you. Which means your backend server will also need to allow one of those.
- Subrun
  Cirrostratus
  Mar 02, 2021
  Actually Kerberos one was not working it was setup and when tested it did not work and Backend App was not ready for Kerberos hence whatever configured for Kerberos trying to move to NTLM.
  
  When user tries it shows error as attached. Please advise if you get a hint from it.
  
  One quick note is when user tries they get the Microsoft Landing page , they try to authenticate using email address and I have been told they have to try using email address as user name. However user tested with "DomainName\Username" it did not work too. Azure side they see the log for Authentication as passed but I see error at F5 side as attached.
  
  I will also match as you mentioned above.
  - boneyard
    MVP
    Mar 02, 2021
    a quick search on the error throws up a couple of possible leads, this one seems most useful to check:
    
    https://www.devcentral.f5.com/s/question/0D51T00007HRNdd/authentication-via-azure-ad-blocked-by-access-policy
Subrun
Cirrostratus
Apr 07, 2021
i do assume you assign session.logon.last.usernameUPN in the SSO mapping object? -- Sorry Where do I check this ?
- boneyard
  MVP
  Apr 11, 2021
  SSO Credential Mapping VPE, though i now see you use it in the SSO element
  
  so it is fixing that mapping, session.saml.last.attr.name.Identity sounds logical, did you already try that? still be to look into your APM session variables to double check.

Forum Discussion

Configure NTLM Based App with F5 and Azure AD

18 Replies

Recent Discussions

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Related Content

Re: NGINX for Azure: Load Balancing

SSLO in public cloud: Azure inbound L3 use case

Deploying F5 BIG-IP with Azure Cross-region load balancer

Integration of Azure Sentinel and F5 BIG-IP using TS and AS3

Re: F5 NGINX for Azure: Multi-Region Architecture