Forum Discussion

ndaems_145583's avatar
ndaems_145583
Icon for Nimbostratus rankNimbostratus
Feb 26, 2014

NTLM Authentication - Windows Integrated 401 Challenge

Dear All,

 

I'm trying to replace an ISA server by a BIG IP solution

 

At present the ISA server is doing an authenticatin on all listener (Virtual Server).

 

Authentication is based on NTLM

 

1) Client send a GET request to the serveur 2) ISA respond with a 401. Unauthorize and start NTLM challenge (Header Authenticate-WWW: NTLM & Negotiate) 3) Client respond to the NTLM Challenge 4) ISA validate the challenge and let the client passing trought if credentials are valid 5) Client is in contact with the server web page

 

I already tried to setup APM with NTLM Check Auth but it always fails

 

I also tried to setup in APM 401 Challenge but in this case negotiation happen with Kerberos and not NTLM as the ISA is doing... This also conclude to failure

 

My question is finally quite simple.. Does someone already setup such topology

 

IIS7 with Windows Integrated Authentication. External Client are redirected to BIGIP which validate credentials (without Portal Access) and if ok send the client to the windows app?

 

Thanks in advance for your support

 

Regards

 

BIG-IP Access Policy Manager (APM)
deployment
microsoft
security
  • ndaems's avatar
    ndaems
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    Hi EmBee,

    This is exactly what I just tried to do...

    You're correct we don't need SSO to the backend (at least for the moment)

    Unfortunatly the NTLM Auth Result always failed with hereafter logs

    When looking at the headers I can see that BIGIP is trying to negotiate so doing Kerberos inspite of NTLM...

    Can you maybe please tell me how I can check if thre is an existing SPN entry ?

    Thanks

    Regards

    14:17:23 bes0175 notice apd[5914]: 01490005:5: c56e0378: Following rule 'fallback' from item 'NTLM Auth Result' to ending 'Allow'
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: modules/EndingAgents/Allow/AllowAgent.cpp func: "executeInstance()" line: 1863 Msg: Webtop ObjectName:
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 310 Msg: variable "session.user.uuid" was not found in the local cache for session "c56e0378"
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 317 Msg: try to get it from MEMCACHED
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 351 Msg: variable "session.user.uuid" for session "c56e0378" was not found in MEMCACHED
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 310 Msg: variable "session.access.profile" was not found in the local cache for session "c56e0378"
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 317 Msg: try to get it from MEMCACHED
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 349 Msg: variable found, lets add it to the local cache "session.access.profile"="/Common/vs_test_2"(length=17)
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 310 Msg: variable "session.logon.last.logonname" was not found in the local cache for session "c56e0378"
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 317 Msg: try to get it from MEMCACHED
Feb 26 14:17:23 bes0175 debug apd[5914]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 351 Msg: variable "session.logon.last.logonname" for session "c56e0378" was not found in MEMCACHED
Feb 26 14:17:23 bes0175 notice apd[5914]: 01490102:5: c56e0378: Access policy result: LTM+APM_Mode
  • EmBee_57573's avatar
    EmBee_57573
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    Check at your AD administrator. He can look into the Active Directory for service principle names (SPN).

     

  • ndaems's avatar
    ndaems
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    Hi,

    After checking with admin guy he confirms that there is no SPN entry

    ldap_search_s(ld, "(null)", 2, "serviceprincipalname=HOST/******", attrList,  0, &msg)
Error: Search: No Such Object. <32>

    Unfortunatly I'm still seing some kerberos negotiation...

    Do you have any other idea?

    Thanks

  • EmBee_57573's avatar
    EmBee_57573
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    Ok so your client is sending kerberos tickets. Let's go for kerberos authentication then. Beware of correct SPN settings.

     

  • ndaems's avatar
    ndaems
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    Hi,

    I configured Kerberos Auth and it ends with Success

    Feb 26 16:23:57 bes0175 info apd[5914]: 01490007:6: 4d9761ec: Session variable 'session.logon.last.authtype' set to 'Negotiate'
Feb 26 16:23:57 bes0175 info apd[5914]: 01490007:6: 4d9761ec: Session variable 'session.logon.last.result' set to '1'
Feb 26 16:23:57 bes0175 info apd[5914]: 01490007:6: 4d9761ec: Session variable 'session.logon.page.errorcode' set to '0'
Feb 26 16:23:57 bes0175 info apd[5914]: 01490007:6: 4d9761ec: Session variable 'session.policy.result' set to 'allow'

    Almost good but unfortunatly browser is always poping up and Ask user & password...

    Seems that the browser doesn't send the credentials

    Regards

    Nicolas

  • EmBee_57573's avatar
    EmBee_57573
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    your log shows that you are authenticated. the popup is probably from your backend server. it requires authentication.

     

    Then you would have to setup kerberos delegation :(

     

  • ndaems's avatar
    ndaems
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    Hi,

     

    Woaw more and more difficult :)

     

    How can I be sure that popup comes from the Backend...

     

    Is there any tips to setup the KDC ?

     

    Thanks

     

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    One important thing to keep in mind here. Internet initiated == No Kerberos negotiated. This will work but only if you have access to the Kerberos Distribution Center. Chances are you aren't opening up TCP 88 to the internet..

     

    So with things like TMG/ISA server you could send NTLM credentials and it would "hop" the authentication on the back-end using Kerberos delegation. This is made possible by authentication proxies in the case of Exchange (rpcproxy.dll).

     

  • EmBee_57573's avatar
    EmBee_57573
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    To validate if it comes from the backend, check the server logging. It should give an unauthenticated user.

     

    For KDC configuration, look at the manual. hint: 1. the F5 account needs delegation rights for the SPN of the backend server. (see manual how to do that) 2. so for your environment, you first have to setup SPN for your sharepoint. 3. within your kerberos SSO configuration, use the SPN patternfield and fill in the SPN; something like HTTP/service.contoso.com@CONTOSO.LOCAL

     

    If you do not use the SPN pattern then the F5 will use reverse DNS lookup of the poolmember IP address to find the SPN (which probably has incorrect PTR settings).