Forum Discussion
Authentication behind F5 LineRate issue.
Hello everyone,
We are testing F5 Linerate as a LB solution for 2 of our core applications and found when we authenticate on the application directly the AD users are able to login without problems. However, when we try to authenticate to the application server using the URL with the hostname in F5 I got our application asking for the Active Directory credentials (same as we use login directly) but it keeps asking for credentials and fails after three times with an IIS 401 error which does not occur when authenticate directly to the application server without F5. Any idea what are we missing to be able to authenticate to the application behind the F5 LineRate?
Thanks in advance for any help,
Elio Diaz
- Andrew_Ragone_2Historic F5 Account
Hello Elio,
How many Real Servers do you have configured in the Virtual Server you are testing? If there are multiple, one thing that comes to mind for the issue you are experiencing is persistence. If persistence is not enabled, you may be successfully authenticating to one server, and then your next request is routed to a different server which has not yet been authenticated.
You can read more about the Persistence options available for your Virtual Server on LineRate here: https://docs.lineratesystems.com/087Release_2.6.1/200CLI_Reference_Guide/Configure_Commands/Virtual_Server_Mode_Commandspersist
To look into what Real Server your requests are getting sent to and how persistence might be enabled, take a look at the results of some of the following commands:
- show real-server < rs_name > (To view request counts handled by a given RS)
- show virtual-server < vs_name > statistics detailed (To show overall requests coming into the Virtual Server, and other persistence data if that is enabled)
-Andrew
- Elio_Diaz_21163NimbostratusHi Andrew, Thanks for replying. For this initial phase we have set two RS. I tried removing persistence and leaving only one RS and it still fails authentication when pointing to VS's URL. Authentication to the app server directly works perfect (BTW it's using Windows authentication / Active Directory.) Application has been set to use an Active Directory user in the Application Pool Identity (The servers are running IIS).- One note, F5 Linerate is not added to the domain. What else we can try? Elio Diaz
- Johnny_Schmidt_Historic F5 AccountIt is possible you are running in to an issue with NTLM authentication over HTTP (see http://www.innovation.ch/personal/ronald/ntlm.html for a good write-up on the subject). If this is the case, and your authentication mechanism is using NTLM over HTTP (which the default for some Microsoft web technologies) then you may have some challenges avoiding the re-authentication steps whenever the real-server connection is closed. As Andrew mentioned, persistence is necessary to make NTLM over HTTP work correctly, but preventing the connection from closing on the real-server side is the key to avoiding constant re-connection attempts. So double-check what the "WWW-Authenticate" header in the initial response looks like (using Chrome developer tools or similar) and if it is indeed of type NTLM then we can discuss how one might work around this with LineRate. Cheers, -johnny
- Elio_Diaz_21163NimbostratusHi Johnny, Thanks for your input. I was able to confirm the two methods used by the app servers ( IIS ) where our application is running are set to Negotiate and NTLM in that order. I have disabled persistence for troubleshooting, what should be the next step to try?- Thanks in advance. Elio Diaz
- Andrew_Ragone_2Historic F5 AccountA good next step would be to take a packet capture on the client side and see 1) what types of headers are coming back (particularly WWW-Authenticate) from the server and 2) how far into the negotiation process you get (ie. what are the packets you get in your conversation) to determine where things are failing. It may be worthwhile, too, to compare the conversation with LineRate in the middle to the one directly taking to the server successfully. This research should help you figure out what needs to be tweaked to get everything to work. Here's a good MSDN article on what you might want to look for when Negotiate is the primary means of auth: http://blogs.msdn.com/b/benjaminperkins/archive/2011/09/14/iis-integrated-windows-authentication-with-negotiate.aspx
- Elio_Diaz_21163NimbostratusHello Andrew, Unfortunately, our trial license for F5 Linerate has expired and we cannot conduct further troubleshooting. Is there any chance we can extend the trial? We want to fully test this solution and make sure it works in our environment before purchasing any licenses. Thanks, Elio Diaz - StateTrust.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com