Leveraging BIG-IP APM for seamless client NTLM Authentication

Many customers express interest to use F5 Access Policy Manager for transparent seamless authentication for their users.  There are a couple of leading use cases that drive that desired behavior: ...
Published Jul 22, 2014
Version 1.0
BIG-IP Access Policy Manager (APM)
microsoft
ntlm
security
Skye_85590's avatar
Skye_85590
Icon for Nimbostratus rankNimbostratus
Dec 04, 2017

Hey Brad, the first error from the TMM mentions 'no body' in the POST request. SAML uses security assertions, logically APM system leverages BIGIP HTTP capabilities via the TMM and websso daemon to handle Authn requests via HTTP (POST) requests.

 

You could put websso to see what HTTP requests/data it gets in debug but the error sequence is similar to ID 667600:

 

K34203924: A newly created Kerberos access policy authentication agent may default to request-based authentication | https://support.f5.com/csp/article/K34203924

 

Looks like this ID requires RBA, you can see if the conditions and workaround apply for you:

 

To work around this issue, you can change the access policy Kerberos authentication agent properties Request Based Auth setting to disabled. To do so, perform the following procedure:

 

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

 

Log in to the Configuration utility. Navigate to Access Profiles/Policies. To open the visual policy editor, click the Edit link to the right of the affected access profile name. Click the Kerberos Auth box. From the menu, toggle the setting for Request Based Auth to Disabled. Click Save. Click Apply Access Policy.

 

~skye