APM - proxy NTLMv1 client side auth to NTLMv2 server side

Question

Hi,&nbsp;
I've been asked if the F5 can proxy a request between a client that supports NTLMv1 and a server that currently supports NTLMv2.&nbsp;
My understanding of the NTLMv2 SSO Configuration is that it expects the client password to be known, and it uses that in combination with the username and domain to generate the NTLM token to be sent to the server.&nbsp;
Can the F5 pull the password out of an NTLM token sent by the client? I had a look at a session dump of an NTLM authenticated client side connection, but couldn't see a session variable for it.&nbsp;
I suspect my options are:&nbsp;
Set the password using a variable assign in the access profile (client connecting is using a service account so the password doesn't change) but that's not idealSee if the server can be configured to support Kerberos and then setup a kerberos SSO configuration to authenticate server side
Appreciate any thoughts or suggestions &nbsp;
Cheers,
Simon&nbsp;

stanislas_piro2 · Answer

This is not possible with any product to proxy ntlm auth.&nbsp;
When client authenticate with ntlm on any server, it doesn’t receive the password -—&gt; it can’t authenticate with password on server side.&nbsp;
The server side authentication must be password less like Kerberos sso.&nbsp;

Forum Discussion

APM - proxy NTLMv1 client side auth to NTLMv2 server side

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

irule to enable http/2 acceleration

VS FORWARDING & ROUTE

Statistics ›› Analytics : HTTP : Overview

SNI Sites not taking correct certificate.

Related Content

iRule based RADIUS Client Stack

Authentication Failed with NTLMv2

Enhance your Application Security using Client-side signals

Overview of Trusted Client IP Headers in F5 Distributed Cloud Platform

F5 VPN Client from Raspberry Pi

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS