NTLM fallback path is not been selected

Question

Hello everyone,&nbsp;
I've been trying to configure an APM policy to authenticate the users transparently via NTLM as long as the user's computer is Joined to the domain else they should be shown the Logon Page. I've followed the guide from kevin (https://devcentral.f5.com/articles/configuring-apm-client-side-ntlm-authentication) and NTLM works fine (The VS has the irule for NTLM indicated in that post too). The problem comes when the user access with a non-domain joined computer, the browser keep asking for credentials (Pop-up). &nbsp;
As per my policy the fallback path for NTLM connects with Logon page, although that Logon Page never comes. If i write down the correct credentials i will not be prompted again for them but the page displays an error (Can’t reach this page) and if used NTLM with a joined computer it will be accepted. &nbsp;
Thanks in advanced&nbsp;
&nbsp;

boneyard · Answer

you could see if it works with kerberos, there is some discussion about that here and i have seen this working:
https://devcentral.f5.com/questions/kerberos-401-authentication-with-form-fallback&nbsp;
afterwards you could go back to NTLM and see if that works.&nbsp;
this is a little bit more what you want, but they use different selections to go for NTLM or forms&nbsp;
https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication&nbsp;

stanislas_piro2 · Answer

Hi,&nbsp;
the issue is client still try to authenticate because of 401 response.&nbsp;
NTLM auth is done before Access policy is evaluated, so it never follow fallback branch.&nbsp;
NTLM auth result is not a NTLM auth action but a validation of NTLM auth performed at LTM level.&nbsp;
try with following code to disable NTLM auth if first attempt fails.&nbsp;
when ECA_REQUEST_DENIED {
   log local0. "User [ECA::username]@[ECA::domainname], Client Machine [ECA::client_machine_name], Auth Status [ECA::status]"
   ECA::disable
}

jesseg_357836 · Answer

Hello,&nbsp;
I am struggling with the very same issue. Were you able to resolve it? If so, can you provide a solution?&nbsp;
Thank you&nbsp;

boneyard · Answer

a first step would be to explain how exactly your situation is the same. how does your policy look? and what of the tips here you already tried.&nbsp;

jesseg_357836 · Answer

at least from other posts on devcentral, it looks like this may not be possible as NTLM auth happens before the policy starts. So the only workaround is to check for domain membership beforehand, but that requires edge components to be installed and I'm hoping to avoid installing edge components company wide.

Forum Discussion

NTLM fallback path is not been selected

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

NTLM

Configuring APM Client Side NTLM Authentication

Persist connection based on NTLM username

Transparent Kerberos Authentication and APM fallback authentication

HTTPS passthrough fallback URL