Forum Discussion

zafer's avatar
zafer
Icon for Nimbostratus rankNimbostratus
17 years ago

ntlm and oneconnect

Hello     i have problem with oneconnect profile when i use NTLM authentication on portal website       All user authenticates from Domain and IIS control clients with inte...
application delivery
dev
devops
irules
Mark_Curole's avatar
Mark_Curole
Icon for Nimbostratus rankNimbostratus
17 years ago
I have an open case with support on this. I am running 9.3.1 and the initial feedback I am getting is that the two do not mix well. The case is still open, but the support person gave me a few options. One was to use an iRule to disable Oneconnect when an NTLM request comes through. In my situation this is a reasonable solution (fixing Oneconnect would be best), because my site is mostly unathenticated. Also, my IE clients will authenticate using Kerberos. The only time NTLM comes into play is for Firfox clients. So having a few connections that cannot be multiplexed is not a big issue.

Here is my solution - 

  
  ; Rule to disabled OneConnect for NTLM Sessions  
  when RULE_INIT {  
  set ::CNTLM_Debug 0  
  }  
    
  when HTTP_REQUEST {  
  if { $::CNTLM_Debug } {  
  log local0. "Authorization header -> [HTTP::header Authorization]"  
  }  
    
  if { [string tolower [HTTP::header Authorization]] starts_with "ntlm" } {  
  set ntlmreq 1  
  } else {  
  set ntlmreq 0  
  }  
  }  
    
  when HTTP_RESPONSE {  
  if { $ntlmreq } {  
  ONECONNECT::detach disable  
    
  if { $::CNTLM_Debug } {  
  log local0. "NTLM Request detected. Disabling Oneconnet"  
  }  
  }  
    
  }