NTLM fallback path is not been selected

Question

Hello everyone,&nbsp;
I've been trying to configure an APM policy to authenticate the users transparently via NTLM as long as the user's computer is Joined to the domain else they should be shown the Logon Page. I've followed the guide from kevin (https://devcentral.f5.com/articles/configuring-apm-client-side-ntlm-authentication) and NTLM works fine (The VS has the irule for NTLM indicated in that post too). The problem comes when the user access with a non-domain joined computer, the browser keep asking for credentials (Pop-up). &nbsp;
As per my policy the fallback path for NTLM connects with Logon page, although that Logon Page never comes. If i write down the correct credentials i will not be prompted again for them but the page displays an error (Can’t reach this page) and if used NTLM with a joined computer it will be accepted. &nbsp;
Thanks in advanced&nbsp;
&nbsp;

boneyard · Answer

you could see if it works with kerberos, there is some discussion about that here and i have seen this working:
https://devcentral.f5.com/questions/kerberos-401-authentication-with-form-fallback&nbsp;
afterwards you could go back to NTLM and see if that works.&nbsp;
this is a little bit more what you want, but they use different selections to go for NTLM or forms&nbsp;
https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication&nbsp;

stanislas_piro2 · Answer

Hi,&nbsp;
the issue is client still try to authenticate because of 401 response.&nbsp;
NTLM auth is done before Access policy is evaluated, so it never follow fallback branch.&nbsp;
NTLM auth result is not a NTLM auth action but a validation of NTLM auth performed at LTM level.&nbsp;
try with following code to disable NTLM auth if first attempt fails.&nbsp;
when ECA_REQUEST_DENIED {
   log local0. "User [ECA::username]@[ECA::domainname], Client Machine [ECA::client_machine_name], Auth Status [ECA::status]"
   ECA::disable
}

jesseg_357836 · Answer

Hello,&nbsp;
I am struggling with the very same issue. Were you able to resolve it? If so, can you provide a solution?&nbsp;
Thank you&nbsp;

boneyard · Answer

a first step would be to explain how exactly your situation is the same. how does your policy look? and what of the tips here you already tried.&nbsp;

jesseg_357836 · Answer

at least from other posts on devcentral, it looks like this may not be possible as NTLM auth happens before the policy starts. So the only workaround is to check for domain membership beforehand, but that requires edge components to be installed and I'm hoping to avoid installing edge components company wide.

Forum Discussion

NTLM fallback path is not been selected

Recent Discussions

Http / https health monitor issue

F5-SDK Get GTM Pool Server, Virtual Server, Unused Objects, and JSON Conversion for Data Processing

F5 DNS Generic Host

How do I create a traffic log for two different route domains?

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Configuring APM Client Side NTLM Authentication

NTLM

Persist connection based on NTLM username

HTTPS passthrough fallback URL

Transparent Kerberos Authentication and APM fallback authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS