Forum Discussion
NimbostratusAPM Negotiate Kerberos Only
I have a simple APM policy starting with 401 Response configured for basic + negotiation, followed with a Kerberos Auth. When a domain member connects with IE, the Integrated Windows Authentication works great and does automatic authentication without prompting the user for logon. The problem is for non domain Windows systems using IE or Firefox. They are immediately presented with a logon window, but every time tries NTLM, which fails.
Is there a way to force non domain members to BASIC instead?
Daniel_VarelaEmployee
Same problem here. The browser keeps sending Authentication negotiate all the time even if the configuration says the site is not trusted. I guess this is more a browser problem than an APM one but I wonder how the basic branch is used if the browsers send all the time autentication negotiate header.
Przemyslaw_Wyr1Altocumulus
Nicely would be, when : - negotiation was false - flow would go to branch "fallback" instead response 401 to browser. But unfortunately it is not.
Have you any update to this post ?
Baddogsettle_16We added a Form-based Logon to the 'HTTP 401 Response' fallback. Right when we finally had it working pretty good in the lab, management decide they did not want integrated authentication for the service.
JWhitesPro_1928Cirrostratus
It's expected behavior that the browser gives you a logon prompt like that for basic authentication when negotiation fails. I had this issue when I set one of these up recently and I think it ended up being the format that I put the 'basic auth realm' in the HTTP 401 response option. Try changing it to just your domain name without the suffix (ie: f5 instead of )