Forum Discussion

Kevin_Gay_24864's avatar
Icon for Nimbostratus rankNimbostratus
Mar 01, 2019

APM Forms-based logon with NTLM SSO Backend

I've been fighting this a bit and not finding the solution on other DevCentral Articles.


Goal Synopsis:


  • User opens internet portal page.
  • Presented with Forms-based login page, user enters this username (e.g. firstinital.lastname) and password
  • A chain of 5 AD forests is tested against this username.
  • On Success, the F5 passes NTLM auth to a backend webserver, in this instance sharepoint 2016.

What's working: Everything up until the SSO mapping/ntlm result which needs to be passed to sharepoint.


Below is the flow I've made, NTLM auth result I threw in as a test, the message boxes are just debug to see which branch is hit without digging in logs.


The All AD Auth is the AD chain I mentioned, I'm also assigning a variable after each success to set the session.logon.last.domain to the corresponding AD in case it's needed later in the chain.


I'm also doing a basic 401 challenge for internal NTLM and redirecting to either internal or logon page based on client IP.



Backend things:


BIG-IP Build 0.0.4 Point Release 2


NTLMv2 SSO is on the SSO cred mapping, however, it's targeting 1 domain only. This one domain is the hub in a hub/spoke AD trust layout, so any user from any domain can auth to it.


I'm using iRules to handle the resource assignment since I'm directing to pools based on the hostname requested (we have a lot, it's annoying), but isn't an issue.


I've not set up that one NTLM setting I can't remember off the top of my head that can only be done via TMM CLI because I could only find it mentioned in version 11 or older BIG-IPs.


Next Steps: I'm really not sure, everything I've been finding says this should be working but it's not and I can't find anything on DevCentral that matches what I'm trying to do. It's all either been 401 challenge pages or something to do with SSO to MS Exchange. So I'm throwing this on here hoping someone has an idea as to what I'm missing.


1 Reply

  • The TMSH config you're missing is the eca profile, it's only needed if your client side NTLM authentication isn't working.


    Is the SSO failing on the forms branch or the NTLM branch?


    IIRC we had issues doing NTLM auth to NTLM SSO and will try and figure out how we got around it.


    Forms to NTLM should be fine, but I'm wondering if the 5 domains/forests is causing the issue. Are you able to test a user that's in the domain that you're doing SSO to?