Configuring APM Client Side NTLM Authentication
Introduction
There have been a ton of requests on the boards for a simplified client side NTLM configuration, so based on Michael Koyfman’s excellent Leveraging BIG-IP APM for seamless client NTLM...
Published May 12, 2015
Version 1.0
Kevin_Stewart
Employee
EmployeeKevin_StewartEmployee
Employee
Kevin_StewartEmployee
EmployeeJavier, the issue is not with APM, but with the way modern browsers work. Think about the protocol flow:
- -> Client GET request
- <- Server sends 401 Authenticate message
- The client isn't a member of the domain, so what does it do?
When "integrated authentication" is involved, a browser will attempt to provide authentication, usually starting with the strongest method (as defined in the server's Authenticate header), and then work down from there, ending with Basic. In the span of time between the server's 401 Authenticate response, and the browser prompting you for Basic credentials (because it can't send an NTLM token or Kerberos ticket), there's no communication with the server. There's no message that gets sent to the server between these events, so no opportunity for the server to respond with a different type of authentication request.
Most admins will insert an IP or URL check into the flow before deciding to issue the 401. That's what the referenced iRule is doing.