NTLM advice please

Question

We're planning on hosting HP TRIM server for some clients on a separate domain. My understanding is the client software uses NTLM to pass credentials to the server and this is the only authentication mechanism available. I'm wondering if there is some way of mapping credentials from one domain to another domain via the F5 LTM with APM or some crazy techno-magic similar to that?&nbsp;
One possibility I'm envisaging:&nbsp;

Client starts an APM session with a set of credentials on our domain&nbsp;

TRIM client then permitted to connect to TRIM virtual server hosted on the F5&nbsp;

When F5 receives TRIM client traffic, it confirms that client traffic is part of the previously established APM session somehow and nukes whatever NTLM stuff is in said traffic replacing it with NTLM stuff based on cached credentials for the session so that our TRIM server receives the APM credentials instead

Is that how it would have to work? Is that even possible?&nbsp;

kevin_stewart · Answer

I think that's a reasonable solution. Allow me to elaborate:&nbsp;

Your (browser?) client initiates an APM session and passes (explicit?) logon credentials. Those credentials are potentially vetted and then stored in the session.&nbsp;

The TRIM client starts and passes NTLM credentials. We know, by virtue of some mechanism that hasn't been discussed yet, that the TRIM client is on the same host that has an active web-based session.

APM strips the TRIM client's NTLM header (is it an HTTP-based client?) and applies an NTLM SSO to the server side dialog using the cached credentials from the explicit web-based logon.&nbsp;

Does that sound about right? If so, the following questions remain:&nbsp;

Is the TRIM client web-based? Such that the NTLM data is in an Authorization header in an HTTP request?&nbsp;

What can you use to correlate the web client to the TRIM client? Will the TRIM client consume and use cookies? Does the web client launch the TRIM client with a special URL?&nbsp;

sam_hall · Answer

I discovered HP TRIM client/server traffic uses RCF (Remote Call Framework) over TCP port 1137 for TRIM client traffic, this is encapsulated within NTLM or Kerberos which provides both the authentication mechanism as well as some level of encryption. There are no alternative authentication options available.&nbsp;
HP recommends deploying a "Workgroup Server" on each site and then have a central database. That's not ideal in this situation as we were hoping to offer the service from entirely within our own infrastructure.&nbsp;
Another viable option would be to ask that the clients firstly establish a VPN connection, but then we would still have to overcome the issue of mapping user credentials which goes away if we have them host the TRIM Workgroup Server on their own domain. I guess we could trust the VPN allocated IP address at that stage and attempt to offload NTLM or something, though I'm not sure it's worth the effort. We'll probably present them with the options of setting up cross domain trust vs. hosting their own TRIM Workgroup Server.&nbsp;

Forum Discussion

NTLM advice please

2 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Does F5 rSeries 4600 support 3rd Party SFP

no upload file .docx

F5 LACP

F5 BGP Peering in Active /Standby Cluster

AS3 Storage

Related Content

Irule advice?

Looking for Setup Advice

Configuring APM Client Side NTLM Authentication

NTLM

Advice to partial rename uri path

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS