How to force a back-end authentication request?
The subject line above may be a bit misleading/confusing, and I'm in a bit over my head, so here's my scenario.
I'm trying to replace a Microsoft ISA server with F5 APM. For this part of my project, the back-end servers are SharePoint 2010. We have an access profile that requires all users to log into APM, check credentials against a Windows DC, and send NTLM to the back-end.
For sites where the back-end requires authentication for all content, everything works just fine.
However, for sites where some content is anonymously available (from the SharePoint point of view), I've got some unusual behavior. On one site, for instance, all pages have a "Login" box at the top. On ISA, the Login field is replaced with an identifying "you're logged in as Your-name Here"), but on the F5 it's just a login prompt.
Once you do something that requires special privileges (visiting a back-end page, or a page that otherwise requires some level of privilege), everything works as expected. The page header displays your name, and you can view "privileged" content without further complications.
My theory is this: Once you've created an F5 APM session, the F5 holds onto your credentials, but doesn't send them to SharePoint until explicitly requested (via a 401 NTLM request). Somehow, Microsoft ISA Server circumvents this, and pre-emptively sends the credentials to the back-end, or otherwise does some invisible-to-me request mangling, so that you're logged in (from SharePoint's point of view) even on your first page view.
So, my main question: Is there a way to replicate this behavior on the F5?
A tangential question: Does my theory as to why it's happening seem plausible?