Kerberos 401 authentication with form fallback

Alexandre,

In order to have this work on firefox I had to go to about:config > search for network.negotiate-auth.trusted-uris and add the site you are trying to access. This resolved any prompts I had on firefox.

I have implemented something similar without the 401 prompt but it requires the hostname of the website to be added to the local intranet sites like Nolan said. I use the ECA Profile to trigger an ntlm auth between clients and then look in the ntlm messages exchanged to get the user name and domain. I need this info to redirect specific domains or non-ad users to a form login. Let me know if you need additional info.

Quick question: how does the 401 response kerberos auth work in the case of a web farm? In the apm kerberos sso you put HTTP/% in the spn so that it uses the hostname and talks to the pool member. How does this work in the 401 setup. I tried HTTP/% in the spn name but no luck.

In the case where you have multiple sites resolving to a single VIP and (Kerberos) access policy, you'd either need to switch the access policies based on incoming client IP subnet, or overload the APM keytab file to include all of the SPNs and keys.

I'm probably missing something here. I have one web application with hostname webapp1.domain.com. The app is running on multiple servers with service account webappsvc@domain.com I have an spn for this service account HTTP/webapp1.domain.com. I generated the keytab file and configured the aaa kerberos server with thiskeytab and i put webapp1.domain.com in the server name. If I put webapp1.domain.com in the hosts file and point it to the ip of one web server the auth works fine. But I have many servers. In the case of kerberos sso with kcd you only need to put HTTP/% in the spn to tell the bigip to talk to one of the nodes in the pool. What do you mean by adding all spns ?

By the way here is the flow of NTLM authentication to an IIS server:

https://blogs.technet.microsoft.com/mist/2018/02/14/windows-authentication-http-request-flow-in-iis/

IIS is a user mode application. It sits on top of HTTP.sys, which is the kernel mode driver in the Windows network stack that receives HTTP requests. IIS picks up requests from http.sys, processes them, and calls http.sys to send the response.

IIS, with the release of version 7.0 (Vista/Server 2008), introduced Kernel Mode authentication for Windows Auth (Kerberos & NTLM), and it's enabled by default on all versions. This feature offloads the NTLM and Kerberos authentication work to http.sys. Http.sys, before the request gets sent to IIS, works with the Local Security Authority (LSA, lsass.exe) to authenticate the end user. IIS just receives the result of the auth attempt, and takes appropriate action based on that result.

Before diving into both Kerberos and NTLM request/response flows, it's worth noting that the vast majority of HTTP clients (browsers, apps, etc.) don't send any credentials on their first request for a resource. This means that first request is anonymous, even if credentials have been configured for that resource. This anonymous request, when Windows Auth is enabled and Anonymous Auth is disabled in IIS, results in an HTTP 401 status, which shows up as "401 2 5" in the normal IIS logs. Both request flows below will demonstrate this with a browser, and show that it is normal.

The NTLM and Kerberos exchanges occur via strings encoded into HTTP headers.

If you want to avoid the initial 401 response you have to configue IE and Firefox for that. Chrome picks IE settings:

Example: https://support.avg.com/SupportArticleView?l=en&urlname=How-to-configure-silent-authentication-for-SSO