Access Profile NTLM - Auth Configuration

Unfortunately, there is no workaround there. The issue is going to be addressed in the upcoming v12.0 release later this year.

Thank you Michael for your quick response.

Do you have any suggestion on another way besides "Leveraging BIG-IP APM for seamless client NTLM Authentication"

Appreciate your attention.

J

Michael;

We are trying to have a portal against a existing SSO (IdP/SP) portal, that is working today but the user needs to put in Domain User and Domain Password when they are already logged in the internet network. (That's why your solution "Leveraging BIG-IP APM for seamless client NTLM Authentication" sound perfect :-) )

Flow: 1) User authenticated with its Windows PC on the domain 2) Open a portal in the F5 - (for example : portal.mycompany.com) 3) F5 catches NTLM authentication and use it in the SSO process. 4) User lands on the Services Provider (SP) (for example Workday) without entering username and password.

Thank you

J,

if this is for internal network only, then you do have a workaround here - Kerberos! Use Kerberos clientside authentication instead of NTLM - and it should work just as well.

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html

Quick question: If I have 500 users, I need to add 500 Kerberos accounts?

Joining a Kerberos user account to a domainTo use Kerberos authentication, you need the client joined and connected to a domain and you need a keytab file. 1)Create a surrogate user in the domain. In this example, the hostname of the virtual server on the BIG-IP system is testbed.lab.companynet and the user name is john. setspn -U -A HTTP/testbed.lab.companynet john 2) Map the user account to the service account and generate a keytab file for the service. You can use the ktpass utility to do this. In this example, LAB.COMPANYNET specifies the Kerberos authentication realm. c:>ktpass -princ HTTP/testbed.lab.companynet.com@LAB.COMPANYNET -mapuser john@LAB.COMPANYNET -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass password -out c:\temp\john.keytab

no, you only need one "surrogate" account that will represent your SPN/FQDN that user connects to(such as myapm.mycompany.com"). The sole purpose of the user account is to be able to process/accept Kerberos tickets.

Hello Michael!

I have done the following - 1) Create the AD Account/Kerberos 2) Test out Auth: kinit HTTP/url.com@DOMAIN.COM and it works. 3) Create the AP access explain in https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html

I am getting "Authentication required to access the resources. "

Please advise. Thank you.

J

I just opened a ticket with F5.

By the way - does the "kdc = 10.10.10.10" be in the /etc/krb5.conf inside the "default_realm"? Or better yet, should this file be touch at all? I only have one realm (no multi-realm) Thank you

Michael;

It worked now! Like a charm!

Thank you for your support!

Hi Michael!

Sorry for the contacting directly to you but maybe you can know what it might me going on: I am using : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html

Its working great. But If the user decides to open another tab/browser, the Kerberos don't kicks in and windows credentials pop-up.

Any idea? Please advise

Thank you

J