Forum Discussion
NimbostratusF5 seems to break NTLM Auth when using Powershell but ok with browser
Hi,
I have a VS with just a server behind hosting a webservice.
When I use Powershell to call the webservice, it works with the direct call to the server but not when F5 is in front.
With a browser, it's always working correctly
The powershell calls look like this :
Direct: Invoke-RestMethod -Uri https://myserver.domain.com:9999/MyPath/Id/21 -UseDefaultCredentials Via F5: Invoke-RestMethod -Uri https://myserver-f5.com/MyPath/Id/21 -UseDefaultCredentials
I always receive a 401 with Powershell and F5
9 Replies
Ngutierrez31_19It would be interesting to see the raw http request as we could probably identify an unhealthy/unusual component.
pboogI've done some capture and I can see that Powershell via direct call use Kerberos authentification
A browser use NTLM authentification always (direct call or via F5)
So why Kerberos isn't working with F5 in front and powershell ?
The first response from the backend server is always like this (with F5 or not) : HTTP/1.1 401 Unauthorized Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 WWW-Authenticate: Kerberos WWW-Authenticate: NTLM WWW-Authenticate: Basic
When direct call, powershell send a Kerberos token in the next request and it works When F5 is in front, Powershell doesn't send a next request
A browser send a NTLM token in the next request, with F5 or direct call
Is powershell able to get a kerberos ticket for myserver- Or is there only a kerberos service for my server.domain.com in your kerberos database?
Cheers,
Kees
- pboog
I'm not a Kerberos specialist but I think there's only a Kerberos service for myserver.domain.com Do you think I need to configure APM on the F5 ?
Does it work when you change your hosts file on your machine. Adding my server.domain.com with the VS IP address in the hosts file? (connect powerhell to: Invoke-RestMethod -Uri https://myserver.domain.com/MyPath/Id/21 -UseDefaultCredentials)
Cheers,
Kees
- pboog
I've changed the host file so myserver.domain.com has the same IP address than myserver-, it's the IP of the VS on the F5 and it works !
I can see on the LTM log the Kerberos token
Rule /Common/debug-http : User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-CH) WindowsPowerShell/5.1.16299.551
Rule /Common/debug-http : Authorization: Kerberos YIIHagYJKoZIhvcSAQICAQBuggdZMIIHVaADAgEF...
So what is the problem ?
The problem is that there is no service definition for myserver- in your kerberos database.
Cheers,
Kees
- pboog
Thank you for your help
official answer:
Does it work when you change your hosts file on your machine. Adding my server.domain.com with the VS IP address in the hosts file? (connect powerhell to: Invoke-RestMethod -Uri https://myserver.domain.com/MyPath/Id/21 -UseDefaultCredentials)
Cheers,
Kees
