Forum Discussion
Lucas_Thompson_
Historic F5 Account
I don't immediately see how it's possible to tell if a PC is able to authenticate without asking it via a 401, which produces a browser auth pop-up. Is there anything in the initial HTTP request that you can use to tell this class of clients from the other class of clients?
Well, perhaps you could use Group-Policy IEM tool to modify the User-Agent and show the 401 to only those guys via some simple VPE logic? But they would have to use only IE, unless there is some way to do this with Firefox to a group of PCs.
https://technet.microsoft.com/en-us/library/cc770379.aspx
Evan_Champion_1
Jan 25, 2016Cirrus
Hi all -- I was able to get a workaround for this from F5 support, which seems to do the right thing. Quoting from the F5 support response:
The setup involves checking for the session variable "session.logon.last.authparam". This variable gets set when the client is supporting "Negotiate", it is not set when the client supports "Basic". The necessary steps are listed below:
- add "Variable Assign" before "HTTP 401 Response": "session.logon.last.authparam = return {}"
(set session variable "session.logon.last.authparam" to blank)
- configure "HTTP 401 Response"
- "HTTP Auth Level": "negotiate"
- "HTTP response message": ""
- add "Special_Basic" branch rule: "expr {[mcget {session.logon.last.authparam}] == ""}"
(this has to be placed ABOVE the "Negotiate" branch)
Now when the client is not supporting Negotiate it goes down the "Special_Basic" branch.
I tried it and the result looked to be as expected. If the user is prompted for Kerberos and Kerberos fails then the failure path (designated by the Special_Basic branch) is taken.