For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Javier_124486's avatar
Javier_124486
Icon for Nimbostratus rankNimbostratus
Dec 20, 2017

NTLM fallback path is not been selected

Hello everyone,   I've been trying to configure an APM policy to authenticate the users transparently via NTLM as long as the user's computer is Joined to the domain else they should be shown the ...
BIG-IP Access Policy Manager (APM)
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Dec 25, 2017

Hi,

 

the issue is client still try to authenticate because of 401 response.

 

NTLM auth is done before Access policy is evaluated, so it never follow fallback branch.

 

NTLM auth result is not a NTLM auth action but a validation of NTLM auth performed at LTM level.

 

try with following code to disable NTLM auth if first attempt fails.

 

when ECA_REQUEST_DENIED {
   log local0. "User [ECA::username]@[ECA::domainname], Client Machine [ECA::client_machine_name], Auth Status [ECA::status]"
   ECA::disable
}