For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

navgup_66025's avatar
navgup_66025
Icon for Nimbostratus rankNimbostratus
Jun 28, 2013

spnego kerberos header vs ntlm header

I have 2 pools for a virtual. PoolA has 2 nodes with kerberos/spnego enabled backend web servers and PoolB has 2 nodes with ntlm enabled backend web servers.   I am new to this and looking for som...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 28, 2013
Here's a great article that speaks to exactly what I mean: http://blogs.technet.com/b/tristank/archive/2006/08/02/negotiate-this.aspx

The first thing I would do is start logging HTTP request headers to see what you're actually getting. You'll notice right away what the differences are in size and can tweak your iRule accordingly. Here's a simple logging loop for request headers: 


when HTTP_REQUEST {
    foreach x [HTTP::header names] {
        log local0. "header($x) = [HTTP::header $x]"
    }
}

You're looking for the "Authorization" header. Once you've determined an appropriate size constraint:

when HTTP_REQUEST {

if { [HTTP::header exists Authorization] } {

if { [expr [string length [HTTP::header Authorization]] <= ] } {

pool NTLM_pool

} else {

pool Kerberos_pool

}

}

}

Give that a try.