cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Koyfma1
Altocumulus
Altocumulus

Many customers express interest to use F5 Access Policy Manager for transparent seamless authentication for their users.  There are a couple of leading use cases that drive that desired behavior:

 

  1. Providing silent seamless authentication to Windows-based applications such as Exchange or Sharepoint from the domain-joined machines.  The premise is is that if the user is logged in to their domain-joined machine, no matter where they are, they should be able to perform seamless NTLM authentication to their applications such as Sharepoint based on the Windows Integrated Authentication settings.
     
  2. Providing SAML Identity Provider services with APM.  When users access SAML-enabled applications, they are asking for SAML assertions.  Because APM can act as either native SAML 2.0 IDP or as a proxy to other SAML IDPs such as ADFS, for example, customer desire silent authentication to those IDP services from the domain-joined machines in order to seamlessly enable to SaaS applications such as Office 365, SalesForce.com, Google Apps, etc.

 

APM can perform three types of 401-based challenge authentication: Basic, NTLM, and Kerberos.   Basic always requires user’s intervention, but Kerberos and NTLM can enable users to seamlessly authenticate to the APM virtual server and allow it to either securely proxy connection to the backend application such as Sharepoint, leveraging Kerberos Constrained Delegation as the SSO mechanism, or acting as SAML IDP and issuing assertions to the SAML Service Providers based upon user identity extracted during NTLM authentication or Kerberos ticket.

 

Today, we are going to examine the second use case on how to configure APM to perform client NTLM authentication and use it in the context of sending a SAML assertion to the Office 365 service.  It is assumed below that user knows how to configure APM for standard forms-based authentication and also has at least one existing policy(although you can create a new one from the scratch).  One of the easiest ways to test this is to deploy the Office 365 configuration using the iApp and the modify configuration to enable NTLM authentication.  The steps below assume that you either have a working Office 365 configuration based on the iApp, or you have an equivalent policy that you can modify.

  1. First, and foremost, we need to create an NTLM Machine Account object.  Under Access Policy, go to Access Profiles->NTLM->Machine Account, and click on Create to join the BIG-IP to the domain and create unique computer object in Active Directory

 

0151T000003d650QAA.png

Keep in mind that you will need to create a unique account in Active Directory for your BIG-IP.  In the example above, the account name is bigip1.

 

  1. Create a “NTLM Auth Configuration” using the above machine account name.  Under Access Policy, go to Access Profiles->NTLM->NTLM Auth Configuration and click on Create. Give the configuration the name, select the Machine Account Name value based on the object you created in Step 1, and add as many FQDNs for the AD domain controllers in your infrastructure

0151T000003d651QAA.png

  1. Now we need to create an iRule that will help us handle NTLM authentication to the BIG-IP properly.  You need to modify the sec on cline of the RULE_INIT event to match the name of the NTLM Auth configuration you created in step 2.  You will also need to replace all instances of appname with a unique identifier.  Go to Local Traffic->iRules->iRules List and click on Create.  Give the iRule name of “ntlm-auth-iRule” and paste the iRule into the BIG-IP:

 

when RULE_INIT {
    set static::appname_ntlm_retries 2
    set static::appname_ntlm_config "/Common/appname_ntlm_config"
    set static::appname_access_log_prefix "01490000:7:"
    set static::appname_ntlm_on_demand_prfx "$static::appname_access_log_prefix \[NTLM-ON-DEMAND\]"
}

when ACCESS_SESSION_STARTED {
    ACCESS::session data set "session.ntlm.last.retries" 0
}

when HTTP_REQUEST {
    log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx Request: [HTTP::uri]"
    switch -glob -- [string tolower [HTTP::uri]] {
    "/ntlm/auth" {
        set sid [ACCESS::session sid]
        log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx sid: $sid"
        set referer [HTTP::header value Referer]
        log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx Referer: $referer"
        set x_session_id [ HTTP::header value X-Session-Id ]
        if { [ string length $x_session_id ] != 0 } {
            set sid $x_session_id
        }
        set retries [ACCESS::session data get -sid $sid "session.ntlm.last.retries"]
        log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx retries: $retries"
        set auth_result [ACCESS::session data get -sid $sid "session.ntlm.last.result"]
        log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx auth result: $auth_result"
        if { ($auth_result == 1) || ($retries == $static::appname_ntlm_retries) && ($auth_result != 1) } {
            ECA::disable
            log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx Redirect to: $referer"
            HTTP::redirect "$referer"
        }
        else {
            ECA::enable
            ECA::select select_ntlm:$static::appname_ntlm_config
        }
        unset x_session_id
        unset referer
    }
    default {
        ECA::disable
    }
    }
}

when CLIENT_ACCEPTED {
    set second_pass pass[IP::client_addr][TCP::client_port]

    # Check if this is the first or second time passing through this virtual
    if { [ table lookup $second_pass ] == "1" } {
        set wait_timeout 3000
        set wait_delay 100
        set wait_total 0
        set disable_ssl disablessl[IP::client_addr][TCP::client_port]
        
        # Wait for SERVER_CONNECTED event to complete
        while { [ table lookup $disable_ssl ] != 0
             && [ table lookup $disable_ssl ] != 1
             && $wait_total < $wait_timeout } {
            set wait_total [ expr "$wait_total + $wait_delay" ]
            after $wait_delay
        }
        unset wait_delay wait_timeout
        
        # Check table value set by SERVER_CONNECTED to disable ssl
        set disable_ssl_value [ table lookup $disable_ssl ]
        if { $disable_ssl_value == "1" } {
            set command "SSL::disable"
            eval $command
            unset command
        } elseif { $disable_ssl_value != 0 } {
            log -noname accesscontrol.local1.notice "$static::appname_ntlm_on_demand_prfx Error: SERVER_CONNECTED event not completed after $wait_total ms"
        }
        table delete $disable_ssl
        table delete $second_pass
        unset disable_ssl wait_total
    } else {
        # This is the first time through this virtual. Set clientssl flag
        set client_ssl clientssl[IP::client_addr][TCP::client_port]
        if { [ catch { PROFILE::clientssl name } ] } {
            table add $client_ssl "0"
        } else {
            table add $client_ssl "1"
        }
        unset client_ssl
    }
    unset second_pass
}

when SERVER_CONNECTED {
    set client_ssl clientssl[IP::client_addr][TCP::client_port]
    set disable_ssl_value 0

    # Check clientssl flag set from CLIENT_ACCEPTED.
    if { [ table lookup $client_ssl ] == "1" } {
        if { [ catch { PROFILE::serverssl name } ] } {
            # Clientssl is present but serverssl is not. Disable clientssl
            set disable_ssl_value 1
        }
        table delete $client_ssl
    }
    set disable_ssl disablessl[IP::client_addr][TCP::client_port]
    table add $disable_ssl $disable_ssl_value
    unset disable_ssl

    unset client_ssl disable_ssl_value
}

when ECA_REQUEST_ALLOWED {
    log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx NTLM Auth succeed"
    ACCESS::session data set session.ntlm.last.username "[ECA::username]"
    ACCESS::session data set session.ntlm.last.domainname "[ECA::domainname]"
    ACCESS::session data set session.ntlm.last.machinename "[ECA::client_machine_name]"
    ACCESS::session data set session.ntlm.last.status "[ECA::status]"
    ACCESS::session data set session.ntlm.last.result 1
    ACCESS::disable
    HTTP::header insert X-Session-Id $sid
    log -noname accesscontrol.local1.debug  "$static::appname_ntlm_on_demand_prfx use virtual: [ virtual name ]"

    # Set flag for next CLIENT_ACCEPTED telling it that it is the second pass through virtual
    set second_pass pass[IP::client_addr][TCP::client_port]
    table add $second_pass "1"
    unset second_pass

    # Connect to itself in order to generate HTTP response
    use virtual [ virtual name ]
}

when ECA_REQUEST_DENIED {
    log -noname accesscontrol.local1.debug "$static::appname_ntlm_on_demand_prfx NTLM Auth succeed"
    if { [ACCESS::session data get session.ntlm.last.retries] != $static::appname_ntlm_retries } {
        incr retries
        ACCESS::session data set session.ntlm.last.retries $retries
    }
}

 

After creating this iRule, assign it to the APM Virtual Server.

  1. Now you can create or modify your existing policy as below.  Let’s examine how the policy depicted below is structured.  The assumption is that the policy is going to be used to authenticate both internal and external users.  If the users are coming in from the internal corporate network, we want to steer them straight to the NTLM authentication, if not, we want to use forms-based login for to authenticate them.  I’ve started the policy with IP Subnet Match action to steer clients from certain networks to the NTLM authentication.  One the desired source networks are matched, we move on to an External Login Page object that will send user back to the APM virtual and request NTLM authentication.

 

0151T000003d652QAA.png

 

Let’s examine how the policy depicted above is structured.  The assumption is that the policy is going to be used to authenticate both internal and external users.  If the users are coming in from the internal corporate network, we want to steer them straight to the NTLM authentication, if not, we want to use forms-based login for to authenticate them.  I’ve started the policy with IP Subnet Match action to steer clients from certain networks to the NTLM authentication.

 

 

0151T000003d653QAA.png

 

Once the desired source networks are matched, we create an External Login Page object that will send user back to the APM virtual and request NTLM authentication.

 

0151T000003d654QAA.png

 

After sending the user to the “external login page”, which in fact is just a request to the same virtual server that is handled by the iRule that enables NTLM authentication between the client and BIG-IP, we need to check the status of the NTLM authentication, so we add the “NTLM Auth Result Check” action to see if the NTLM authentication was successful.  If so, we need to populate the username session variable to enable APM to use it in session reporting/tracking, SAML assertion, SSO, etc.

 

 

0151T000003d655QAA.png

 

Now you can assign necessary resources to the user session.  In this example, we are assigning APM to act as the IDP to Office 365.

 

 

 

0151T000003d656QAA.png

 

 

After you finished creating or modifying the Access Policy, make sure it is assigned to the APM virtual.

 

  1. Now we need to associate a ECA profile with the Virtual Server in order to enable NTLM functionality.  This assignment needs to be performed via the command line.  Establish an SSH connection in the box and enter TMSH and type the following commands, substituting the name of your virtual server for the highlighted portion
    1. /sys
    2. modify /ltm virtual NTLM-AUTH-vs profiles add { eca }
    3. save config
    4. list /ltm virtual NTLM-AUTH-vs
    5. Note the ‘eca’ profile associated with the virtual server
0151T000003d657QAA.png

 

6.  Next, we need to modify how the virtual server handles preservation of the original source port of the connection.  This can be done either from the BIG-IP Administrative interface, or from the command line.  Both examples are shown below.

  1.  Command Line Interface
    1. Using the same SSH session as established in Step 5, type the following commands substituting the name of your virtual server for the highlighted portion:
      1. modify /ltm virtual NTLM-AUTH-vs source-port preserve-strict
      2. save /sys config
  2. BIG-IP Administrative Interface
    1. From the main menu, go to Local Traffic > Virtual Servers > Virtual Server List.
    2. Click on the APM virtual server.
    3. Under Configuration, select Advanced.
    4. For Source Port, select Preserve Strict.
    5. Click Update.”

 

7.  Last, but not least, you need ensure that the machine you’re using to achieve the silent sign-on has the APM Virtual FQDN added to its Local Intranet zone as per the picture below.

 

0151T000003d658QAA.png

 

 

 

Voila! You should be all set. Point your browser on the machine to the FQDN of the APM Virtual Server where you assigned the new policy and iRule, and you should be silently authenticated.  If you are interested in performing SSO to applications such as Sharepoint, you will need to setup Kerberos SSO in order to perform single sign-on to the Sharepoint based on the NTLM authentication.

 
Comments
EmBee_57573
Nimbostratus
Nimbostratus
Hi Michael,

 

Great article!

 

I was wondering what the eca profile exaclty does. It is not documented very well in the manuals. Could you elaborate the funcionality of it?

 

 

Michael_Koyfma1
Altocumulus
Altocumulus
ECA profile enables NTLM authentication - that is it. It's mostly implicitly used by built-in features such as OutlookAnywhere NTLM auth and Secure Web Gateway authentication mechanism. There is documentation on the iRule-based ECA events and commands: https://tstdmzdevcentral.olympus.f5net.com/wiki/irules.eca.ashx
ndaems
Nimbostratus
Nimbostratus
Hello Michael,

 

 

Did the test with the provided iRule but are always getting the following error message

 

 

Did you have any idea of what could be wrong?

 

 

Seems that there is a new session that trigger this event...

 

 

Thanks!

 

 

Access policy evaluation is already in progress for your current session.

 

 

You may see this message, if you are using a different browser tab than the one where you started the access policy initially. Please continue to finish your access policy in the previous browser tab, and close this current window immediately.

 

 

If you have reached to this message due to some other error, click here for creating a new session.
Bonnie_123329
Nimbostratus
Nimbostratus
I'm getting the same error that a session is already in progress. It appears that it is only doing the RULE_INIT piece every time even when calling from the External logon page with /ntlm. It does this several times and then errors out.
drugovm_149811
Nimbostratus
Nimbostratus
Great article.

 

 

Thank you. I'm trying to leverage this seamless approach for my sharepoint and some other web app deployment (for sharepoint kerberos, for other apps, ntlm & form based)

 

 

I'm trying to get basic setup just to start and I'm getting this error message

 

 

bad sid value length (line 1)variable lookup failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data get -sid $sid "session.ntlm.last.retries""

 

 

Any ideas?

 

 

Thanks
Rabbit23_116296
Nimbostratus
Nimbostratus
Nice work and thanks for sharing this, hoping to implement it soon and replace my external pool page with the native NTLM capability of the appliance
Brian_Nin_16643
Nimbostratus
Nimbostratus
Hey, I'm trying to implement this now. I am getting machine authentication failures to my Active Directory domain. Whenever I look in the AD logs it shows the domain as instead of . I am able to renew the machine password from the APM gui. Has anyone run into this problem or know what might be causing it?
Brian_Nin_16643
Nimbostratus
Nimbostratus
Sorry, that last comment didn't include everything. My domain is domainname.com, but when I see the auth failures in AD it's just for domainname without the .com. I don't know if this is an issue or not. With this utilizing a fairly lenghy Irule, is it fully support by F5?
brad_11480
Nimbostratus
Nimbostratus
drugovm - I also am getting this message when trying to access information regarding a session. TCL error: /Common/rule - bad sid value length (line 1)variable lookup failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data get -sid $mysid "session.user.clientip"" the value of mysid is d3eba4d1 Wondering how this was solved?! thanks so much.
Noah_Hackl_6776
Nimbostratus
Nimbostratus
I am seeing the same problem as drugovm and brad. After a little digging I found that the [ACCESS::session sid] command in the HTTP_ REQUEST portion of the iRule returns an empty string. Checking for values in the ACCESS_SESSION_STARTED portion of the iRule does generate a sid value, but this is not preserved when the actual http request comes through. I even tried manually creating a session with [ACCESS::session create] in the HTTP_ REQUEST portion of the rule, however, this appears to be an invalid usage of the command. I am on 11.3 for this particular BIG-IP, so could that be the issue? I will set it up on my 11.5 set tomorrow and see if the behavior changes.
Noah_Hackl_6776
Nimbostratus
Nimbostratus
So it wasn't the version, it was the mismatched names on my ntlm auth config. Very important, maybe under emphasized here that the ntlm config name has to match the VS name. This manual page helped a great deal: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/4.htmlunique_1048502488
Cody_Green
F5 Employee
F5 Employee
Noah and Brad, If you're still seeing the TCL error: bad sid value length be sure you updated the Virtual Server Source Port settings to Preserve Strict.
Julio_Navarro
Cirrostratus
Cirrostratus
Hello; I am getting the following err: [0x1e721a4:459] Internal error (ECA requested abort (Could not verify user (domain\myuser) credential (STATUS_NO_LOGON_SERVERS))) Please advise.
Michael_Koyfma1
Altocumulus
Altocumulus
@J Navarro - this error means that the NTLM authentication could not be performed for whatever reason. Please do open a support case to troubleshoot it - or double-check that your NTLM account is setup properly, etc. You might want to check tcpdump as well during the authentication process to see what is happening.
Dave_Hart_85_14
Nimbostratus
Nimbostratus
Hi Michael, I would like to use client side NTLM to authenticate users from two different Active Directory domains. Could you tell me how to modify the irule to achieve this? I have created the Machine accounts and setup the two NTLM auth configs, but I can't figure out how to modify the irule. I have the setup working with one SAML IDP vip and one access poilicy that will assign a SAML resource for two service providers. I would like to continue to use one vip and one access policy if possible.
AlgebraicMirror
Nimbostratus
Nimbostratus
Thank you! This worked for me, and I was able to get NTLM working on a custom policy I set up. This seems pretty complicated though considering how common front side NTLM seems to be among various clients. Is there any chance F5 could build this into the product, perhaps in the 401 response as an additional "NTLM" option in the dropdown?
AlgebraicMirror
Nimbostratus
Nimbostratus
One other question: is it required to make the "Port translation" setting on the virtual server "preserve-strict"? Preserve-strict always makes me nervous, because if some other connection already uses the same ephemeral port you just tried to connect with, then strict means you won't translate the port and will just send the client a TCP RST (reset), breaking their connection. So is it absolutely required that it be "preserve-strict", and if so why?
Felix_Marwede
Nimbostratus
Nimbostratus
Hi, I have a problem using this with our Sharepoint. In the step "External Logon Page - iRule" (The External Logon Page Object), I need to dynamically set the URI (FQDN of APM Virtual Server) as the Sharepoint uses different URLs. Two questions: - How can I set an URI like http:\\$hostname\nltm\auth instead of a complete http:\\fixed.url\nltm\auth - Is there a chance for the NTLM authentication with different URLs? Is there a specific APM cookie that is set and its value could be replaced by the IP address or another value to be recognised by F5. I am asking because when using a different URL to the same APM virtual server, the NTLM authentication begins again (also an alternative Logon Page, if the NTLM authentication was not succesful) Thanks for your feedback!
Josiah_39459
Historic F5 Account
If this isn't working in v12.0, please try replacing these lines: @@set static::appname_access_log_prefix "01490000:7:" set static::appname_ntlm_on_demand_prfx "$static::appname_access_log_prefix \[NTLM-ON-DEMAND\]"@@ with the single line @@set static::appname_ntlm_on_demand_prfx "01490000:7: \[NTLM-ON-DEMAND\]"@@ Please report back feedback since as far as I know no one has tested this yet in v12 yet.
Michael_Koyfma1
Altocumulus
Altocumulus
@felix - why does your Sharepoint use different URLs? Curious about that setup. If you are only using it for the sharepoint, you can try to set the domain cookie under the Access Policy. My default, APM Policy will set a host-level cookie - so if you have two URLs - sharepoint.company.com and library.company.com, this would require two different access sessions, setting a domain-level cookie, or setting up multi-domain SSO. The easiest test to see if you can avoid the problem is to setup domain level cookie just to ensure that it would address the issue. Then, if it works, you can try to setup Multiple Domains under SSO and configure each cookie for the host-level entry
Felix_Marwede
Nimbostratus
Nimbostratus
@michael - this is not the biggest problem for me. Currently i have the problem that the external logon URI needs to be FQDN. How can I do that dynamically depending on the used URL for the client? e.g. i cannot include library.company.com there because all my logins to the URL sharepoint.company.com will in this case be redirected to the inserted external Logon Page information... There must be something to dynamicall use a specific variable or something to get this topic closed... Our Sharepoint has seven different URLs... intranet/customer-service/myhome/etc. Does this means I need to use another virtual server, which means another Public IP for each of these DNS names to accomplish my wished goal? Or what do you mean with "use two access sessions" here?
Has anyone gotten this to work in V12 yet? We just did the upgrade and while we were using an older version of the iRule, and tried updating to the rule above, it doesn't currently work for us. Support case is logged, but any advice would be great. Ta
f5learn_164388
Nimbostratus
Nimbostratus
Hi, We are on 11.5.1 and went through the steps as mentioned in the article and keep seeing the following in the logs. Any pointers on where to start looking to troubleshoot this. Logging Agent: entering External Logon Page May 3 18:06:58 NCF5APMB err nlad[4750]: 01620000:3: <0x559058f0> clntsvc: error [0xc000005e,NT_STATUS_NO_LOGON_SERVERS] queuing logon request May 3 18:06:58 NCF5APMB warning eca[5424]: 01620002:4: [Common] 208.72.180.21:40530 Authentication result: USERNAME@USERDOMAIN (COMPUTERNAME): Fail (STATUS_NO_LOGON_SERVERS) May 3 18:06:58 NCF5APMB err eca[5424]: 0162000e:3: Could not verify user (USERDOMAIN\USERNAME /Common/seamless-ntlm, service Id: 22 for domain USERDNSDOMAIN DC: xxx.xxx.com (10.100.26.15), account:COMPUTERNAME) credential (STATUS_NO_LOGON_SERVERS) May 3 18:06:58 NCF5APMB warning eca[5424]: 0162000f:4: Received invalid type of NTLMSSP message Thanks, Ski
brad_11480
Nimbostratus
Nimbostratus

I'm 11.5.3 and hoping to get this working. when i set up the machine connection to AD and then define the servers it seems to register fine.. but then i get errors in the log saying init: Error 1, NT_STATUS_UNSUCCESSFUL.

 

we can't figure out why this is.. and it ust doesn't work. thanks.

 

brad_11480
Nimbostratus
Nimbostratus

Bump.. so now at version 12 and still nothing working. is there a good, proven, guide for setting up NTLM with APM. Here I want it as part of SAML/SSO.

 

CX_280703
Nimbostratus
Nimbostratus

I am also seeing the error: TCL error: bad sid value length but only for Firefox and intermittently. I can recreate the issue by creating a new profile in FF and then trying the NTLM auth, and it fails with the TCL error, if I close the window and try again it works. Anyone have issues with Firefox???

 

brad_11480
Nimbostratus
Nimbostratus

I'm beginning to think taht NTLM auth with SAML/SSO is a futzz at best and is unworkable in general. I can get some of it to work with Firefox, others to work in Chrome, none to work in IE.

 

In Chrome on one of them i see LTM reporting: warning tmm[19392]: 01480001:4: No held transaction to sink. The mentions of it in Devcentral relate to ASM and not APM. While it says warning, the client browser just spins waiting fora response from the IdP.

 

In IE the error is: Nov 17 08:07:27 slot1/f5ext1a err tmm1[19392]: 014d0002:3: 25408ee6: SSOv2 POST Authn Request has no body Nov 17 08:07:27 slot1/f5ext1a err tmm1[19392]: 014d0002:3: 25408ee6: SSOv2 Error(12) Extracting SAML Data from Request

 

I don't use the code above in version 12 as I understood this was all now a working feature.

 

If anyone has a solid working solution, it would very much be appreciated. Thanks so much.

 

Skye_85590
Nimbostratus
Nimbostratus

Hey Brad, the first error from the TMM mentions 'no body' in the POST request. SAML uses security assertions, logically APM system leverages BIGIP HTTP capabilities via the TMM and websso daemon to handle Authn requests via HTTP (POST) requests.

 

You could put websso to see what HTTP requests/data it gets in debug but the error sequence is similar to ID 667600:

 

K34203924: A newly created Kerberos access policy authentication agent may default to request-based authentication | https://support.f5.com/csp/article/K34203924

 

Looks like this ID requires RBA, you can see if the conditions and workaround apply for you:

 

To work around this issue, you can change the access policy Kerberos authentication agent properties Request Based Auth setting to disabled. To do so, perform the following procedure:

 

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

 

Log in to the Configuration utility. Navigate to Access Profiles/Policies. To open the visual policy editor, click the Edit link to the right of the affected access profile name. Click the Kerberos Auth box. From the menu, toggle the setting for Request Based Auth to Disabled. Click Save. Click Apply Access Policy.

 

~skye

 

JMG82888_358204
Nimbostratus
Nimbostratus

Hello - IN the process of learning a lot about the F5 stuff, so it is quite possible i overlooked something in the setup of this - but when i apply the iRule to my VIP, it seems like clients that match the IP subnet get "page cannot be displayed" because the connection was refused, and when the ipsubnet is not matched they get the forms login page - which seems to be fine. Any ideas on this?

 

Thanks in advance.

 

JMG82888_358204
Nimbostratus
Nimbostratus

Hello - When setting this up, the NTLM piece works good - but after that, i get a SAML error when trying to connect to the webtops. It works fine for machines that are not on the ipsubnet match, but doesnt for the machines that are on the subnet match. Is there something in the irule that I would need to adjust? Thank you

 

Marvin
Cirrostratus
Cirrostratus

A client is requiring exactly the same setup for internal users. If I understand correctly this will mean the F5 to be able to poll all internal clients using NTLM and also verify the result with the AD server?

 

So firewall rule would be F5 Self IP --> all internal clients using UDP/TCP 137/138? Isn't this a security risk allowing a DMZ device to contact internal client on this port number?

 

paulfish
Nimbostratus
Nimbostratus

For anyone reading this article and trying to use any code forward of 14.1.0 you should know NTLM is broken.

 

https://cdn.f5.com/product/bugtracker/ID797541.html

 

Further if you go to a Kerberos config and you leave this setting enabled from this guide.

 

For Source Port, select Preserve Strict.

 

You will get resets on the VIP, it won't show up in testing until someone else tries using it. I put it through Dev, went to production and released it. Then I raised a Sev2, it wasn't immediately obvious for support either. It's taken 24 hours to resolve....

Smithy
Cirrostratus
Cirrostratus

This has been fixed in 14.1.2.1: https://support.f5.com/csp/article/K05115516

Version history
Last update:
‎22-Jul-2014 12:37
Updated by:
Contributors