Forum Discussion

Harrish_371555's avatar
Harrish_371555
Icon for Nimbostratus rankNimbostratus
Sep 27, 2018

Need an iRule to skip Kerberos Authentication for MAC

While trying to edit a document(excel or a word) on a SharePoint site, Only MAC users are getting a prompt to authenticate, Whereas windows users don't have this problem. Our APM policy doesn't have ...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 27, 2018

So, to be clear, this isn't really a Kerberos logon page. Kerberos itself doesn't require a logon page. What's likely happening is that the the server is not accepting the NTLMv2 SSO that you're passing it from Mac clients, and responding with its own 401 response. And since it's NTLM, the 401 would also contain a "WWW-Authenticate" header with a value of "Negotiate", and so the Mac client is interpreting this as Kerberos, can't comply, and so presents the user with the screen you're seeing.

 

It's safe to say this screen is not something you've defined as one of your logon pages, correct? And if so, the screen is actually being generated by the client browser in response to the 401.

 

So basically, you need to look at the server side and determine why the server isn't accepting the NTLMv2 SSO credentials. If you can capture on the client side, using something like Fiddler, you should see a 401 response from the server on Mac clients.