Forum Discussion

Etienne_28122's avatar
Etienne_28122
Icon for Nimbostratus rankNimbostratus
Oct 24, 2012

Pass-through authentication

Very new to this so just trying to figure stuff out.

 

I have an IIS site that requires users to be authgneticated. The site is configured to accept integrated authentication That is the AD credentials the user used to log into his domain joined computer.

 

It looks like the F5 is stripping off these credentilas and requires the users to authneticate. once they authenticate everything works fine. But i need to be able to just pass the credentials on seamlessly.

 

Is this possible and if so how do you do it?

 

 

9 Replies

  • I can't see the F5 doing that unless it's been configured to. Are you using APM? What version are you running? Can you post the Virtual Server configuration with any sensitive values replaced please?
  • what is the best way to post the virtual server config? is there a way to export it to a text file or somethign similar?

     

  • You'll need to SSH to the device, login, enter tmsh (the command is simply tmsh) and then type 'list ltm virtual name' and that should give you the configuration in a text format.
  • Thanks for your assistance so far.

     

     

    here is the output of the vs

     

     

     

    ltm virtual vs_caissaVB {

     

    destination 10.38.6.246:http

     

    ip-protocol tcp

     

    mask 255.255.255.255

     

    pool pool_caissaVB

     

    profiles {

     

    http { }

     

    ntlm { }

     

    oneconnect { }

     

    tcp { }

     

    }

     

    snat automap

     

    vlans-disabled

     

    }

     

     

     

    dont know if that is what you are looking for...

     

  • I'd suggest you remove the NTLM and OneConnect profiles and see if that makes a difference. If you connect to the server directly do you not have to authenticate?
  • I have removed the Oneconnect and NTLM but I have the same issue.

     

    The user does authneticate but not actively as it is using the logged on credentials. the F5 does not seem to pass those on.

     

    It seems to want to do it's own 401 request.

     

  • I don't think the issue is the F5. Have you tried connecting to a server directly, bypassing the F5, does that work?

     

     

    If you want to confirm, I'd suggest you do a tcpdump packet capture and I think you'll see it's the web server originating the 401.
  • Thanks Steve

     

    I have noticed that the site which is a custom written one does behave a little strange even if publishing it through TMG 2010.

     

    I am going to chalk this one up to site specific issue...

     

     

     

  • OK, you might as well reapply the NTLM and OneConnect profiles then, if you haven't already. Thanks for letting us know.