Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Kerberos 401 authentication with form fallback

Hello,   we are using APM for SAML authentication. Domain joined machines should authenticate transparently with Kerberos, users without the ability to use Kerberos (non domain joined, Firefox wit...
BIG-IP Access Policy Manager (APM)
kerberos
security
SSO
JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Oct 08, 2018

I can't find the QOUTE button so I'm replying to this: Even if you put the URL in the browser's trusted intranet sites list, I believe (specifically for Kerberos) that the browser still makes an initial anonymous request.

 

yes. That's the normal behaviour. See the blog above:

 

Before diving into both Kerberos and NTLM request/response flows, it's worth noting that the vast majority of HTTP clients (browsers, apps, etc.) don't send any credentials on their first request for a resource. This means that first request is anonymous, even if credentials have been configured for that resource. This anonymous request, when Windows Auth is enabled and Anonymous Auth is disabled in IIS, results in an HTTP 401 status, which shows up as "401 2 5" in the normal IIS logs. Both request flows below will demonstrate this with a browser, and show that it is normal.

 

I don't have an issue with that. My only issue for the moment is using multiple servers with a site configured to run under a user account.