I have an open case with support on this. I am running 9.3.1 and the initial feedback I am getting is that the two do not mix well. The case is still open, but the support person gave me a few options. One was to use an iRule to disable Oneconnect when an NTLM request comes through. In my situation this is a reasonable solution (fixing Oneconnect would be best), because my site is mostly unathenticated. Also, my IE clients will authenticate using Kerberos. The only time NTLM comes into play is for Firfox clients. So having a few connections that cannot be multiplexed is not a big issue.
Here is my solution -
; Rule to disabled OneConnect for NTLM Sessions
when RULE_INIT {
set ::CNTLM_Debug 0
}
when HTTP_REQUEST {
if { $::CNTLM_Debug } {
log local0. "Authorization header -> [HTTP::header Authorization]"
}
if { [string tolower [HTTP::header Authorization]] starts_with "ntlm" } {
set ntlmreq 1
} else {
set ntlmreq 0
}
}
when HTTP_RESPONSE {
if { $ntlmreq } {
ONECONNECT::detach disable
if { $::CNTLM_Debug } {
log local0. "NTLM Request detected. Disabling Oneconnet"
}
}
}