Configuring APM Client Side NTLM Authentication
Introduction
There have been a ton of requests on the boards for a simplified client side NTLM configuration, so based on Michael Koyfman’s excellent Leveraging BIG-IP APM for seamless client NTLM...
Published May 12, 2015
Version 1.0
Kevin_Stewart
Employee
EmployeeKevin_StewartEmployee
Employee
Javier_124486
Nimbostratus
NimbostratusGood morning everyone,
Kevin, hi. I've tried what you suggested and even if it makes sense it does not work as expected (more than probably because even after all I've learn about NTLM thanks to this post i do not completely understand how it works). The irule used is below.
So, i will explain what i did/tried and what i suspect is failing. I have one policy that checks the Registry looking for the specific domain and if so the next step will be an Irule Event in VPE, "ntlm_on" (Now it does exists 🙂 ) After that I created an irule that starts with http_request -> "ECA disable" and if one specific APM session variable, "session.ntlm.required", exists and the content equal "yes", then ECA enable, else keep it disabled.
Besides that the same irule has ACCESS_POLICY_AGENT_EVENT that checks for ntlm_on. If it detects on it will set session.ntlm.required = yes and technically will start ECA thanks to HTTP_Request section above...It does not. Reviewing the logs i can see that the ntlm_on event is detected and the irule set the session.ntlm.required to yes. I believe that since is the same HTTP transaction and since NTLM technically happens at LTM level, not APM, it cannot be triggered again for the same request, therefore it may not be able to be activated in the middle of the policy verification. I am wrong? By the way, NTLM is working fine on my lab. Tested with the same computer and http_request ECA::Enable irule.
when HTTP_REQUEST {
ECA::disable
set ntlm_required no
if the user is a corporate user the policy will require NTLM auth. session.ntlm.required is set below
set ntlm_user [ACCESS::session data get "session.ntlm.required"]
if { $ntlm_user == "yes" } {
log local0. "NTLM_Enabled"
ECA::enable
ECA::select select_ntlm:/Common/NTLM_Auth
}
elseif { $ntlm_user == "no" } {
log local0. "NTLM_Disabled"
ECA::disable
}
}
when ACCESS_POLICY_AGENT_EVENT
{
if NTLM is required by the policy a new session variable will be created and used in the HTTP_Request event
if { [ACCESS::policy agent_id] eq "ntlm_on" }
{
log local0. "ntlm_required yes set"
ACCESS::session data set session.ntlm.required "yes"
}
elseif { [ACCESS::policy agent_id] eq "ntlm_off" }
{
log local0. "ntlm_required off set"
ACCESS::session data set session.ntlm.required "no"
}
}