Forum Discussion
ndaems_145583
Nimbostratus
NimbostratusNTLM Authentication - Windows Integrated 401 Challenge
Dear All,
I'm trying to replace an ISA server by a BIG IP solution
At present the ISA server is doing an authenticatin on all listener (Virtual Server).
Authentication is based on NTLM
1) Client send a GET request to the serveur 2) ISA respond with a 401. Unauthorize and start NTLM challenge (Header Authenticate-WWW: NTLM & Negotiate) 3) Client respond to the NTLM Challenge 4) ISA validate the challenge and let the client passing trought if credentials are valid 5) Client is in contact with the server web page
I already tried to setup APM with NTLM Check Auth but it always fails
I also tried to setup in APM 401 Challenge but in this case negotiation happen with Kerberos and not NTLM as the ISA is doing... This also conclude to failure
My question is finally quite simple.. Does someone already setup such topology
IIS7 with Windows Integrated Authentication. External Client are redirected to BIGIP which validate credentials (without Portal Access) and if ok send the client to the windows app?
Thanks in advance for your support
Regards
Rabbit23_116296One important thing to keep in mind here. Internet initiated == No Kerberos negotiated. This will work but only if you have access to the Kerberos Distribution Center. Chances are you aren't opening up TCP 88 to the internet..
So with things like TMG/ISA server, I presume this is only for external client so you could send NTLM credentials and it would "hop" the authentication on the back-end using Kerberos delegation. This is made possible by authentication proxies in the case of Exchange (rpcproxy.dll).
ndaemsSorry EmBee
I get lost
For now all requestes are coming from Internet side and I do see Kerberos Negotiate...
So with things like TMG/ISA server you could send NTLM credentials and it would "hop" the authentication on the back-end using Kerberos delegation. This is made possible by authentication proxies in the case of Exchange (rpcproxy.dll).
This is almost when we are trying to achieve... If possible NTLM would be sufficient but seems that our browser doesn't start a NTLM nego but well a Kerberos nego...
When looking at headers when using ISA we can only see NTLM headers never Kerberos nego
Regards
- Rabbit23_116296
Yes ISA won't show kerberos headers because the browser can only send when it has an open channel to a domain controller.
Have you thought about doing client-side checks using APM module, then you can check if authenticated (as far as I know it prompts you once to install a plug-in / activex control)..
- ndaems
Hi Rabbit23
Not yet...
In fact I'm trying to do the same as ISA server is doing...
For now I still (sorry) don't understand why BIGIP can not play the same role (whatever using Kerberos or NTLM)...
If there is no other solution then I will start looking at some alternative way like you proposed
- Rabbit23_116296
only way I know is for the F5 to do the check for NTLM by means of plug-ins. I would give it a try, it works on most browsers and is probably the quickest way to get you going.
- Rabbit23_116296
https://devcentral.f5.com/questions/sso-options-ntlm-integrated-saml-assertionsanswer89643
See above - Let's hope there is some more information soon, this is something that I would like to see work myself coming from TMG/ISA.
- ndaems
Hi Rabboit,
Thanks for the info / links
It sounds strange to me that BIGIP cannot handle that kind of authentication natively...
It's true that the link can solve the issue but we need to setup a separated infrastructure for authenticating the user... That means redundancy and reliability
Plugin could be an option but once again it look so strange that such powerfull product cannot do the same than old ISA 2006 !
Don't you think that other better option could be available?
Thanks
- Rabbit23_116296
I think it is probably less a BIGIP limitation than it is the design of the auth protocols in question. Kerberos clients need access to the KDC ticketing server (AD domain controller) before it can do anything and NTLM cannot "double-hop" to authenticate to another service because the password is never known.
So a combination of the two is what you are most likely after. NTLM authentication proxying to kerberos delegated service access. Of course the back-end service needs to support the kerberos delegation. If in ISA you had NTLM enabled and published it in a web publishing rule, if it was purely NTLM the ISA server was just a man in the middle and would, to my knowledge, challenge the user.
Not knowing exactly what service you are trying to get to work using the BIGIP, could you provide an example of something that was working in ISA and that is not working on the BIGIP?
- ndaems
Hi Rabbit,
We have multiple backend that we need to publish for now I'm trying to publish a Sharepoint portal (Windows with integrated AUth) and a centreon Backend (with a form based login on backend)
What I've to achieve is even for Linux backend doing a first transparent auth on the BIGIP. If client machine is in the domain it needs to be transparent (whatever kerberos or NTLM)... If machine is not in the domain we need to fallback to basic auth...
At this point I always get a popup and once completed get access to the website... If I were able to fix this kind of SSO issue it would be very nice
- Rabbit23_116296
Your always limited to the capability of the back end. So the back end if it's form based will need a password. APM can do that but it needs the password which it cannot get without the user actually entering it. One way is a we to use a webtop to challenge the user once.
Share point will work as this supports Kerberos SPNs for authentication.