Forum Discussion

Etienne_28122's avatar
Etienne_28122
Icon for Nimbostratus rankNimbostratus
Oct 24, 2012

Pass-through authentication

Very new to this so just trying to figure stuff out.

 

I have an IIS site that requires users to be authgneticated. The site is configured to accept integrated authentication That is the AD credentials the user used to log into his domain joined computer.

 

It looks like the F5 is stripping off these credentilas and requires the users to authneticate. once they authenticate everything works fine. But i need to be able to just pass the credentials on seamlessly.

 

Is this possible and if so how do you do it?

 

 

app sec
BIG-IP Access Policy Manager (APM)
security

9 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2012
    I can't see the F5 doing that unless it's been configured to. Are you using APM? What version are you running? Can you post the Virtual Server configuration with any sensitive values replaced please?
  • Etienne_28122's avatar
    Etienne_28122
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2012

    what is the best way to post the virtual server config? is there a way to export it to a text file or somethign similar?

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2012
    You'll need to SSH to the device, login, enter tmsh (the command is simply tmsh) and then type 'list ltm virtual name' and that should give you the configuration in a text format.
  • Etienne_28122's avatar
    Etienne_28122
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2012

    Thanks for your assistance so far.

     

     

    here is the output of the vs

     

     

     

    ltm virtual vs_caissaVB {

     

    destination 10.38.6.246:http

     

    ip-protocol tcp

     

    mask 255.255.255.255

     

    pool pool_caissaVB

     

    profiles {

     

    http { }

     

    ntlm { }

     

    oneconnect { }

     

    tcp { }

     

    }

     

    snat automap

     

    vlans-disabled

     

    }

     

     

     

    dont know if that is what you are looking for...

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2012
    I'd suggest you remove the NTLM and OneConnect profiles and see if that makes a difference. If you connect to the server directly do you not have to authenticate?
  • Etienne_28122's avatar
    Etienne_28122
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2012

    I have removed the Oneconnect and NTLM but I have the same issue.

     

    The user does authneticate but not actively as it is using the logged on credentials. the F5 does not seem to pass those on.

     

    It seems to want to do it's own 401 request.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2012
    I don't think the issue is the F5. Have you tried connecting to a server directly, bypassing the F5, does that work?

     

     

    If you want to confirm, I'd suggest you do a tcpdump packet capture and I think you'll see it's the web server originating the 401.
  • Etienne_28122's avatar
    Etienne_28122
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2012

    Thanks Steve

     

    I have noticed that the site which is a custom written one does behave a little strange even if publishing it through TMG 2010.

     

    I am going to chalk this one up to site specific issue...

     

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2012
    OK, you might as well reapply the NTLM and OneConnect profiles then, if you haven't already. Thanks for letting us know.