Forum Discussion
CirrostratusHTTP - basic NTLM auth
I’m not sure the HTTP 401 response agent is able to work in conjunction with NTLM Auth Result. The negotiate branch is typically used for Kerberos authentication. You should follow this cookbook to implement NTLM auth:
https://devcentral.f5.com/s/articles/configuring-apm-client-side-ntlm-authentication
And after the NTLM Auth result agent, I would also expect a SSO Credential Mapping agent. Also set the access policy itself to use NTLM SSO.
- The-messenger
That's where I started with this but not being confident of what the developer is sending, thought I would try to put some more in the VPE.
set back to just ntlm
Added some logging (splunk formatted)
when HTTP_REQUEST { if { [ACCESS::session data get session.ntlm.last.result] eq 1 } { ECA::disable } else { ECA::enable ECA::select select_ntlm:/Common/DC2-LTM-NTLM } # Get Client request and browser information set pol_client_browser [HTTP::header User-Agent] set pol_http_host [HTTP::host] set pol_http_uri [HTTP::uri] set pol_http_header [HTTP::request] log -noname local0. "pol_client_browser=\"$pol_client_browser\" --pol_http_host=\"$pol_http_host\" -- pol_http_uri=\"$pol_http_uri\" -- pol_http_header=\"$pol_http_header\"" }With logging set on this now, I can see the header data. Looks like the app is trying to get/use a token from the application behind the big-ip with the URI /api/1/tokens
GET /api/1/tokens/retrieve HTTP/1.1 User-Agent: Faraday v0.15.4 Authorization: NTLM TlRMTVNTA;;KDKKKKDFJJFJFIIKDKKKDAAAAAAA Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3 Accept: */* Connection: keep-alive Keep-Alive: 30 Host: doxlyapi.HOST.COM
