For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

EmBee_57573's avatar
EmBee_57573
Icon for Nimbostratus rankNimbostratus
Feb 24, 2014

NTLM SSO for end-users in a AD domain

Hi, I have users which are already authenticated within the AD domain. My BIG-IP APM/LTM should do the following:

 

  1. provide SSO to the backend server: the SharePoint server should see the user credentials
  2. if a users is already authenticated against the AD, the user should not see any login prompt.
  3. I would like to use NTLM

There is a solution [http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-4-0/3.htmlconceptid] but this is based on Kerberos.

 

Is this only possible with Kerberos or should NTLM work also?

 

My main concern is if with NTLM SSO to the backend is possible or not.

 

BIG-IP Access Policy Manager (APM)
design
security

3 Replies

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Feb 24, 2014

    Yes, using NTLM on the front-end is possible - but because NTLM authentication cannot be proxied - meaning that APM does not get user's password during NTLM authentication - so regardless of whether you use Kerberos or NTLM to authenticate to APM, you will have to setup Kerberos Constrained Delegation on the backend for SSO.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Feb 28, 2014

    https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication

     

  • EmBee_57573's avatar
    EmBee_57573
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2014

    thanks Michael, great article. Learned about ECA which was new to me :)