Forum Discussion

Nimbostratus

Oct 22, 2015

Troubleshoot NTLM SSO

Dears, i am trying to configure NTLM SSO and it is failing. i am receiving the below errors. i am using a variable before the SSO mapping as the application excepts authentication in this format...

BIG-IP Access Policy Manager (APM)

deployment

security

Kevin_Stewart

Employee

Oct 22, 2015

You shouldn't have to modify the username to add the domain. The NTLMv2 SSO should handle this for you. You need to do the following:

Ensure that your access policy correctly populates the session.sso.token.last.username variable with the user's userPrincipalName or sAMAccountName value. This is generally accomplished with the SSO Credential Mapping agent from some other input source like session.logon.last.username from the logon page agent.
Ensure that your access policy correctly populates the session.sso.token.last.password variable with the user's password. This is accomplished with the SSO Credential Mapping agent from some other encrypted source like session.logon.last.password from the logon page agent.
Ensure that your access policy correctly populates the session.logon.last.domain variable with the user's domain name, or statically populate the NTLM DOMAIN value in the NTLMv2 SSO profile.

You may need to test enabling and disabling the Username Conversion option in the SSO profile.

Otherwise, how would you authenticate to the server directly from a client in the domain? Are you certain that the server accepts NTLMv2?

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)