Forum Discussion
AltostratusNTLM SSO stops working when another VS in same policy uses Kerberos SSO
Problem:
In an APM Access Policy which uses an NTLM SSO configuration profile and multiple Virtual Servers, the NTLM SSO stops working when making requests to an Virtual Server in the same Access Policy which uses Kerberos SSO.
The VS that needs to do Kerberos SSO, has an iRule attached that sets the SSO method to Kerberos (WEBSSO::select).
I already tried to also attach an additional iRule to the virtual server that uses NTLM SSO, to set the NTLM SSO explicitly, but this doesn't solve the problem.
Anyone seen this before and know how to fix this?
Here some info on how to reproduce the error:
- Authenticate (/my.policy).
-
Fetch page via VS1 with NTLM SSO on NTLM enabled poolmember.
Trace on BIG-IP shows:
client requests: HTTP_REQUEST: GET /img.jpg (sso) HTTP_RESPONSE: 401 + WWW-Authenticate: NTLM (sso) HTTP_RESPONSE: 401 + WWW-Authenticate: NTLM XXX...XXX== client receives: HTTP_RESPONSE: 200Works as expected. Successful request.
-
Fetch page via VS2 with Kerberos SSO on Kerberos enabled poolmember. This VS has an iRule which uses WEBSSO::select to use Kerberos SSO instead of the Access Policy default NTLM SSO.
Works as expected. Successful request.
-
Fetch page via VS1 with NTLM SSO on NTLM enabled poolmember (exactly same request as in step 2).
client requests: HTTP_REQUEST: GET /img.jpg client_receives: HTTP_RESPONSE: 401 + WWW-Authenticate: NTLMDoesn't work as expected. BIG-IP seems to skip SSO now. Client is confronted with 401 NTLM pop-up.
More details:
Version: 12.1.1 HF1