Forum Discussion

David__Pasch's avatar
David__Pasch
Icon for Altostratus rankAltostratus
Oct 02, 2006

Integrated Windows Authentication

All,

 

I apologize up front if I ma in the wrong forum or this question is incorrectly directed.

 

 

I have been asked to create a monitor that can use the authentication that is built into the browser.

 

Our users can access the applications on our servers via the automatic AD authentication that occurs between the browser, the server, and the AD domain controller.

 

 

The application owners will not enable basic authentication so, I cannot use a standard monitor.

 

 

I think I need an iRule.

 

 

If I am correct? Can someone provide direction or an example of how I can work this authentication into an iRule or monitor?

 

 

I have a valid account for the AD domain.

 

I just can't seem to get it to pass to the sever.

 

 

 

Thanks in advance!!!

 

 

 

 

D

 

application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 04, 2006
    Hi there,

     

     

    I found a past case where someone requested help building a monitor that uses Windows Authentication (NTLM). Here is a note from that case:

     

     

     

    The monitor has no mechanism to negotiate the Kerberos or NTLM portion of the Window Authentication method. The monitor is simply looking for values in the receive string to be returned to it.

     

     

    I can send up a Feature Request to development to ask to have this functionality added in a future release.

     

     

    The only other suggestion that I can make would be to spend some time with our consulting team. They may be able to come up with a script that your monitor can use to negotiate the Windows Integrated Authentication and grep for content of the page received, and forward the pass or fail to the monitor.

     

     

     

    And some info from a related (unpublished) solution:

     

     

     

    Do BIG-IP monitors support HTTP NTLM Authentication?

     

     

    BIG-IP does not support NTLM authentication by default, however it may be possible to create an external monitor to do this.

     

     

    To see how NTLM HTTP authentication works, you may access this URL

     

     

    Authentication in WinHTTP

     

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/authentication_in_winhttp.asp

     

     

    IIS Authentication

     

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconiisauthentication.asp

     

     

    IIS 4.0 and 5.0 Authentication Methods Chart

     

    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/authmeth.mspx

     

     

     

    It also looks like there might be perl modules you could use in an external monitor that could handle the NTLM authentication. Of course, this wouldn't be a supported option, but it could work.

     

     

    And, as it seems that there are a fair number of requests for NTML authentication support in monitors, you might consider opening a case with support and asking for this in an RFE.

     

     

    Aaron