cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

F5 SWG NTLM failback

bdavis
Nimbostratus
Nimbostratus

We currently utilize SWG forward proxy with primary authentication of Kerberos. We are having an issue where sporadically the client sends a Authorization header of Negotiate YIII... and the F5 throws the below error and we do not have multiple keytabs, I know there is a article in relation to this in previous versions but they don't seem to apply to us.

 

"GSS-API error gss_accept_sec_context: 70000 : No credentials were supplied, or the credentials were unavailable or inaccessible

GSS-API error gss_accept_sec_context: 0 : Unknown error"

 

We have a support ticket open for this. However it's not my primary reason for posting unless someone has had this issue. What I'm asking for help for is I'm trying to find a way to detect when this happens and if it does fallback to ntlm. I haven't had any ideas on how to do this next to possibly handling the 401 in irule, go to clientless mode and then track if the user intial request failed, if it respond back with another 401 for NTLM and then enable ECA. But I'm still unsure this would work without removing the ACCESS::session and recreating because of APM flow.

 

Anyways any ideas would be great. Also probably good to note that we are using captive portal because this is a transparent proxy deployment.

0 REPLIES 0