Forum Discussion

Nimbostratus

Apr 22, 2014

Irule: Intercepting NTLM authentication requests and responding with a static service account and password

I have a scenario where I am doing two factor authentication on the front-end of a virtual server, which does not include ntlm authentication. Unfortunately the back-end application requires ntlm aut...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Apr 22, 2014

How do you configure the service account piece.

Create a new NTLM SSO profile. Take note of the username and password source variables in this profile.
Create a new access policy and assign the above SSO profile to it.
Open the visual policy editor for this new access policy and create a Variable Assignment agent. In this case, you'll probably want to set and create the session.logon.last.username and session.logon.last.password variables. Example:
```
session.logon.last.username = expr { "bob.user" }    
session.logon.last.password = expr { "jimbob" } <- set the secure option    
```
After the Variable Assignment agent, add an SSO Credential Mapping agent. Leave the default values.
End with a simple Allow block.
Apply this access policy the the LTM VIP.

When a user accesses this VIP, the access policy will trigger the SSO and use the static values in the variable assignment (the service account) to perform NTLM challenge/response authentication with the web server.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)