Forum Discussion
It doesn't currently exist in the environment. I just keep getting screenshot of iApp question and answer and no where does it just allow me to user Kerberos. It always says "NTLM" and only talks about the machine account in addtion to Kerberos.
The current environment is just using the BIG-IP to proxy traffic to the exchange servers. I guess my confusion is around the NTLM Machine account. Is that something created in AD? And then put on the BIG-IP?
Which documentation are you now working from?
In the one you posted earlier it shows you were you create the account. You do this from the BIG-IP and afterwards it exists in AD.
Configure a machine account
You configure a machine account so that Access Policy Manager (APM) can establish a secure channel to a domain controller.
On the Main tab, click Access
Authentication > NTLM > Machine Account
A new Machine Account screen opens.
Do you perhaps have an F5 partner or such who can help, getting this worked out through a forum is tricky.
- JustCooLpOOLeJan 30, 2023Cirrocumulus
We'll reach out to support on any hangups. I'm mainly just trying to understand how this works. It's not everyday you try to configure NTLM authentication through the BIG-IP, you know.
We're working through this: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ntlm-authentication-for-microsoft-exchange-clients.html
- boneyardJan 30, 2023MVP
Which explains a good part of it I believe.
To do NTLM authentication on the BIG-IP you need to have it domain joined. That is just a requirement, similar for other products that want to allow NTLM authentication from clients, like a web proxy, see:
https://help.endian.com/hc/it/articles/218144628-Web-Proxy-Authentication-NTLM-
Now we can join the domain by providing a Domain Administrative user name and password (one with permissions to perform domain joins).
BTW: I said earlier you require the machine account for the Kerberos authentication, that is my bad, but NOT the case. You need the machine account to do the NTLM authentication.