ntlm and oneconnect

Hi Zafer,

 

 

Which LTM version are you running? There was an issue with OneConnect breaking NTLM authentication in 9.1.x:

 

 

SOL5050: OneConnect may prevent NTLM authentication from succeeding (Click here)

 

 

Aaron

we use maintenance release i know this solution, when i look the sharepoint portal deployment guide i saw importance for oneconnect. f5 does not support ntlm with oneconnect.

 

 

is that possible citrix can use tcpmultiplexing future?

 

 

zafer

 

f5 does not support ntlm with oneconnect.

 

 

 

 

 

Hi, How can you know 9.3.1 version doesn't support ntlm with oneconnect?

 

 

Recently I upgraded from 9.1.2 to 9.3.1 HF4, one of the features that I wanted to deploy in 9.3.1 is OneConnect, that was one of the reasons that I justified the migration.

 

 

Are you using 9.3.1? Does the bug in OneConnect still remains in 9.3.1?

 

 

 

CR48426, described in SOL5050, is shown as only affecting 9.1.3 and lower:

 

 

9.1.3, 9.1.2, 9.1.1, 9.1, 9.0.5, 9.0.4, 9.0.3, 9.0.2, 9.0.1, 9.0

 

 

I'm not sure why Zafer is saying that F5 doesn't support OneConnect and NTLM. It certainly looks like the aim to.

 

 

Aaron

here is email from support

 

 

*** EMAIL OUT 9/22/2008 9:01:57 am conn Action Type: External email

 

Send to:[zafer.berber@prolink.com.tr]

 

Title: LTM v9.3.1 - oneconnect problem and authentication

 

Severity: Site at Risk (Sev 2)

 

 

Zafer,

 

 

You understand correctly, NTLM authentication cannot be used with Oneconnect.

 

 

When oneconnect has a mask set of 255.255.255.255, it means that for each external client, one persistent connection will be made to the server on the back end. The normal situation where a network mask is used is that one TCP connection will be established and used for all connections coming from that network mask. For example, a mask of 255.255.255.0 will reuse the same back end connection for all hosts coming from 192.168.8.0/24. It will use another connection for all clients coming from 172.20.8.0/24. And so on with each new network it sees.

 

 

SOL5911: Managing connection reuse using OneConnect source mask

 

https://support.f5.com/kb/en-us/solutions/public/5000/900/sol5911.html

 

 

The LTM is still multiplexing the connection using SNAT. Netscaler differs from the LTM in that the LTM is a full proxy while Netscaler is not. While sometimes it causes situations like this, it also allows us a great deal more flexibility to manipulate connections as they are being load balanced, for example, with specialized protocol profiles like HTTP and SIP, and with iRules.

 

 

This problem is not so much a problem with the method that the LTM uses to aggregate connections as it is with the way that NTLM is designed. Unfortunately, it is rather inflexible about the way it can be used through a proxy such as ours. While it mostly works, one feature it does not play well with is oneconnect.

 

Interesting... thanks for posting that Zafer. F5 Supports response begs the question of why SOL5050 exists and why CR48426 was fixed.

 

 

Aaron

the other interesting Sharepoint portal deployment guide important notes; Ntlm and oneconnect not works together f5 does not suppoer oneconnect with sharepoint

 

 

regards

 

 

zafer

 

Reading over the best description of NTLM for HTTP auth I could find (Click here), it looks like NTLM requires requests to be sent over the same TCP connection as the original request where the authentication took place. So it doesn't seem like it could consistently work to aggregate TCP connections for NTLM.

 

 

 

3. ...From this point forward, the connection is kept open; closing the connection requires reauthentication of subsequent requests.

 

 

 

 

I'm still curious as to why SOL5050 indicates there was an issue with OneConnect and NTLM which was fixed.

 

 

Aaron

we see the other vendor xxxx can use tcpmultiplexing future with Ntlm. i dont understand how does it use multiplexing with ntlm or why bigip cant do this

 

 

i saw statistic client side 3000 connections server side 20 connection

 

 

interesting........

 

 

zafer

 

I have an open case with support on this. I am running 9.3.1 and the initial feedback I am getting is that the two do not mix well. The case is still open, but the support person gave me a few options. One was to use an iRule to disable Oneconnect when an NTLM request comes through. In my situation this is a reasonable solution (fixing Oneconnect would be best), because my site is mostly unathenticated. Also, my IE clients will authenticate using Kerberos. The only time NTLM comes into play is for Firfox clients. So having a few connections that cannot be multiplexed is not a big issue.

Here is my solution -

  
  ; Rule to disabled OneConnect for NTLM Sessions  
  when RULE_INIT {  
  set ::CNTLM_Debug 0  
  }  
    
  when HTTP_REQUEST {  
  if { $::CNTLM_Debug } {  
  log local0. "Authorization header -> [HTTP::header Authorization]"  
  }  
    
  if { [string tolower [HTTP::header Authorization]] starts_with "ntlm" } {  
  set ntlmreq 1  
  } else {  
  set ntlmreq 0  
  }  
  }  
    
  when HTTP_RESPONSE {  
  if { $ntlmreq } {  
  ONECONNECT::detach disable  
    
  if { $::CNTLM_Debug } {  
  log local0. "NTLM Request detected. Disabling Oneconnet"  
  }  
  }  
    
  }