Forum Discussion

Nimbostratus

Jan 12, 2016

Solved

APM Question: Is Multiple-Domain NTLM authentication possible for one URL domain?

We currently have an access profile setup to have a user select their domain from a dropdown menu on the login page. We are also using SSO Across Authentication Domains on the access profile and for ...

application delivery

BIG-IP Access Policy Manager (APM)

LTM

Lucas_Thompson_
Jan 12, 2016
I'm pretty sure it's not possible to detect the domain prior to using ECA when using NTLM passthough. When ECA is utilized, it must be turned on with a specific ECA profile that's already connected to a specific already-established SCHANNEL connection.

However, I think it's possible to establish a trust relationship so that one DC can use its own SCHANNEL connection to a different domain's DC to use passthrough authentication. This MSDN blog article talks a bit about it:

http://blogs.technet.com/b/isrpfeplat/archive/2010/11/05/optimizing-ntlm-authentication-flow-in-multi-domain-environments.aspx

Microsoft would probably be able to help in this situation if you aren't sure how to set up the trust. The important thing to understand is that APM uses NTLM passthrough authentication via SCHANNEL from the (configured in APM) NTLM Authentication Profile.

One other thing: When using NTLM Passthrough, APM does not have access to the user's password (this is a limitation of the encryption used in the NTLM protocol), so SSO types that rely on it won't function correctly.

cgallimore_1748

Nimbostratus

Jan 14, 2016

Okay I think I understand now. What we ended up doing was to setup our NTLM SSO configuration with the NTLM Domain set as Session.logon.last.domain and assigned that variable with the correct domain in the VPE after the domaincheck. This seems to do what we were wanting to achieve. Thanks for the help.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)