Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 21, 2017

Javier, the issue is not with APM, but with the way modern browsers work. Think about the protocol flow:

 

  • -> Client GET request
  • <- Server sends 401 Authenticate message
  • The client isn't a member of the domain, so what does it do?

When "integrated authentication" is involved, a browser will attempt to provide authentication, usually starting with the strongest method (as defined in the server's Authenticate header), and then work down from there, ending with Basic. In the span of time between the server's 401 Authenticate response, and the browser prompting you for Basic credentials (because it can't send an NTLM token or Kerberos ticket), there's no communication with the server. There's no message that gets sent to the server between these events, so no opportunity for the server to respond with a different type of authentication request.

 

Most admins will insert an IP or URL check into the flow before deciding to issue the 401. That's what the referenced iRule is doing.