Web application authentication but not required

Question

I am getting weird issue, of course, all fingers are pointing to the F5 LTM as the culprit until proven to be innocent.&nbsp;
 &nbsp;
We have web application behind LTM 10.2.4. When users logged and attempted to download a file, they are prompted for username/password again for the second time. When supplied the same username/password, the file will be downloaded. This second username/password challenge is not necessary and not required and pain in the AS*.&nbsp;
But when users are logged to the application without LTM in between, the second username/password will not show up.&nbsp;
Has anyone seen LTM causing application authentication when downloading a file even though not configured?&nbsp;
 &nbsp;
Thanks for your help&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;

kevin_stewart · Answer

Can you elaborate on how authentication works to the application? And how that authentication traverses or is proxied by LTM?

elias_o_16228 · Answer

The setup is typical... no authentication proxy.  
&nbsp;  
&nbsp; ---Fw----Cisco switch----LTM-----CiscoSwitch----Web Application server------Oracle Database  
&nbsp;  
&nbsp; LTM is configured for only load balancing the Web App servers. The users are prompted for username and password by the database. Upon verification of credential, access is permitted to the application server. When you request for file download located in the database   
&nbsp;  &nbsp;

kevin_stewart · Answer

I have to assume there's more to it than that. There are only so many ways that a client browser can authenticate to a web server, and most web servers only support a small subset of those methods. The methods generally include HTTP Basic, Digest, Negotiate (NTLM or Kerberos), and forms based (and not addressing SAML and other methods that usually require an agent process installed on the web server). In any case, each of these methods would then validate the user's credentials against a directory service, database, flat file, or something else. So I'm not specifically talking about how the user account is validated, but rather the method used to acquire the user's credentials (Basic, NTLM, etc.). This is the process, if any, that a proxy server may interfere with. 
&nbsp;  
&nbsp; Perhaps the best way to determine that is with a capture of the HTTP communications between the client and server. The initial requests and/or response messages will usually allude to the authentication method. It's by hypothesis that the proxy server (BIG-IP) is unintentionally interfering with the way the user presents, or the way the web server consumes the client credentials.

Forum Discussion

Web application authentication but not required

3 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

AppWorld DC Booth Kiosk Generator

Questions on R-Series 5800s

F5 in AZ

ASM bd daemon crash while processing request body (SIGSEGV) – anyone seen similar behavior?

which virtual server will be hit?

Related Content

Application Programming Interface (API) Authentication types simplified

Introducing the F5 Application Study Tool (AST)

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Mitigating OWASP Web Application Risk: Identification and Authentication Failure using BIG-IP

Mitigating OWASP Web Application Risk: Identification and Authentication Failures using F5 XC

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS