F5 seems to break NTLM Auth when using Powershell but ok with browser

Question

Hi,&nbsp;
I have a VS with just a server behind hosting a webservice.&nbsp;
When I use Powershell to call the webservice, it works with the direct call to the server but not when F5 is in front.&nbsp;
With a browser, it's always working correctly&nbsp;
The powershell calls look like this :&nbsp;
Direct: Invoke-RestMethod -Uri https://myserver.domain.com:9999/MyPath/Id/21 -UseDefaultCredentials
Via F5: Invoke-RestMethod -Uri https://myserver-f5.com/MyPath/Id/21 -UseDefaultCredentials&nbsp;
I always receive a 401 with Powershell and F5&nbsp;

ngutierrez31_19 · Answer

It would be interesting to see the raw http request as we could probably identify an unhealthy/unusual component. &nbsp;

pboog · Answer

I've done some capture and I can see that Powershell via direct call use Kerberos authentification&nbsp;
A browser use NTLM authentification always (direct call or via F5)&nbsp;
So why Kerberos isn't working with F5 in front and powershell ?&nbsp;
The first response from the backend server is always like this (with F5 or not) :
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Kerberos
WWW-Authenticate: NTLM
WWW-Authenticate: Basic&nbsp;
When direct call, powershell send a Kerberos token in the next request and it works
When F5 is in front, Powershell doesn't send a next request&nbsp;
A browser send a NTLM token in the next request, with F5 or direct call&nbsp;

keesvandenbos · Answer

Is powershell able to get a kerberos ticket for myserver-
Or is there only a kerberos service for my server.domain.com in your kerberos database?&nbsp;
Cheers,&nbsp;
Kees&nbsp;

pboog · Answer

I'm not a Kerberos specialist but I think there's only a Kerberos service for myserver.domain.com
Do you think I need to configure APM on the F5 ?&nbsp;

keesvandenbos · Answer

Does it work when you change your hosts file on your machine.
Adding my server.domain.com with the VS IP address in the hosts file? (connect powerhell to: Invoke-RestMethod -Uri https://myserver.domain.com/MyPath/Id/21 -UseDefaultCredentials)&nbsp;
Cheers,&nbsp;
Kees&nbsp;

Forum Discussion

F5 seems to break NTLM Auth when using Powershell but ok with browser

9 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Automation with PowerShell - Part 1

Microsoft Powershell with iControl

F5 Automation with PowerShell - Part 2

Ending an APM session when browser tab is closed

F5 Automation with PowerShell - Part 4