Web application authentication but not required

I have to assume there's more to it than that. There are only so many ways that a client browser can authenticate to a web server, and most web servers only support a small subset of those methods. The methods generally include HTTP Basic, Digest, Negotiate (NTLM or Kerberos), and forms based (and not addressing SAML and other methods that usually require an agent process installed on the web server). In any case, each of these methods would then validate the user's credentials against a directory service, database, flat file, or something else. So I'm not specifically talking about how the user account is validated, but rather the method used to acquire the user's credentials (Basic, NTLM, etc.). This is the process, if any, that a proxy server may interfere with.

 

 

Perhaps the best way to determine that is with a capture of the HTTP communications between the client and server. The initial requests and/or response messages will usually allude to the authentication method. It's by hypothesis that the proxy server (BIG-IP) is unintentionally interfering with the way the user presents, or the way the web server consumes the client credentials.