Forum Discussion

maltar_141221's avatar
maltar_141221
Icon for Nimbostratus rankNimbostratus
Sep 15, 2017

NTLM pop-up after successful authentication.

We are trying to develop a APM policy that allows domain joined computer to use a kerberos ticket to login to a SAML based intranet website.

 

Currently the login to the SAML based intranet website already works with form based authentication using Bigip as a SAML IDP.

 

The new setup has the following problem:

 

The authentication currently works as intended if we go directyly to the VIP "saml.demo.com" it authenticates without requesting credentials and shows us the webtop with a icon for the SAML based intranet site. If you click the link the SAML IDP initated auth does it jobs and you are logged in to the intranet website.

 

The authentication has a issue when you do a SP initated SAML request from the intranet website to saml.demo.com. The 401 reponse does it jobs and creates a session on the Bigip. But after this has been completed the users gets a NTLM basic popup for credentials. If you enter the correct credentials in this box nothing happens afterwhorths. If you close the pop-up box, and without closing the browser go back to the intranet website and do a SP initiated SAML request again the previous established session gets used and the user gets redirected back to the intranet website with a SAML assertion and is logged in correctly. If you close the browser and open it again you can repeat the process.

 

We are testing this with IE11 with the saml and intranet website added to intranet zone and auth.

 

Logging shows a full completion of the APM policy and no errors are new 401 requests.

 

The IE11 pop-up

 

 

The APM policy looks as follows:

 

 

Running version 12.1.2 HF1

 

Does anyone have an idea what creates this problem and how to solve it?