Forum Discussion

ndaems_145583's avatar
ndaems_145583
Icon for Nimbostratus rankNimbostratus
Feb 26, 2014

NTLM Authentication - Windows Integrated 401 Challenge

Dear All,

 

I'm trying to replace an ISA server by a BIG IP solution

 

At present the ISA server is doing an authenticatin on all listener (Virtual Server).

 

Authentication is based on NTLM

 

1) Client send a GET request to the serveur 2) ISA respond with a 401. Unauthorize and start NTLM challenge (Header Authenticate-WWW: NTLM & Negotiate) 3) Client respond to the NTLM Challenge 4) ISA validate the challenge and let the client passing trought if credentials are valid 5) Client is in contact with the server web page

 

I already tried to setup APM with NTLM Check Auth but it always fails

 

I also tried to setup in APM 401 Challenge but in this case negotiation happen with Kerberos and not NTLM as the ISA is doing... This also conclude to failure

 

My question is finally quite simple.. Does someone already setup such topology

 

IIS7 with Windows Integrated Authentication. External Client are redirected to BIGIP which validate credentials (without Portal Access) and if ok send the client to the windows app?

 

Thanks in advance for your support

 

Regards

 

BIG-IP Access Policy Manager (APM)
deployment
microsoft
security
  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2014

    Your always limited to the capability of the back end. So the back end if it's form based will need a password. APM can do that but it needs the password which it cannot get without the user actually entering it. One way is a we to use a webtop to challenge the user once.

     

    Share point will work as this supports Kerberos SPNs for authentication.

     

  • ndaems's avatar
    ndaems
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2014

    Hi rabbit,

     

    Ok so it means there is no way to do a transparent identification on BIG IP if there is no authenication at the backend...

     

    Today the best example is as follow: 1) we have a apache website with a form based-auth

     

    When we tried to access this webpage from Internet the ISA server do a Pre-Auth (trasparent with Windows Integrated Auth - NTLM). Once authenticated on the ISA's listener we are then redirected to the backend on which we need to supply the credentials...

     

    This allow us to do a first transparent filter and be sure that user are authenticated in the DMZ before sending them to the internal network...

     

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2014

    Ok in that case, to my knowledge I no of no way to do it other than adding an external logon page that is NTLM enabled (if you don't want to go webtop/plug-in route). I am still waiting to be shown otherwise, but I also can't believe it's the only way. At the end of the day APM is running its own web daemon and I believe there must be a way to get this to work natively..

     

  • ndaems's avatar
    ndaems
    Icon for Nimbostratus rankNimbostratus
    Feb 28, 2014

    Hi Rabbit,

     

    Thanks for your help... We'll test the external logon page even if I also think that there should be a way to do that natively...

     

    I have a opened support ticket for that and will give you the feedback once it will be solved