How to force a back-end authentication request?
The subject line above may be a bit misleading/confusing, and I'm in a bit over my head, so here's my scenario. I'm trying to replace a Microsoft ISA server with F5 APM. For this part of my project, the back-end servers are SharePoint 2010. We have an access profile that requires all users to log into APM, check credentials against a Windows DC, and send NTLM to the back-end. For sites where the back-end requires authentication for all content, everything works just fine. However, for sites where some content is anonymously available (from the SharePoint point of view), I've got some unusual behavior. On one site, for instance, all pages have a "Login" box at the top. On ISA, the Login field is replaced with an identifying "you're logged in as Your-name Here"), but on the F5 it's just a login prompt. Once you do something that requires special privileges (visiting a back-end page, or a page that otherwise requires some level of privilege), everything works as expected. The page header displays your name, and you can view "privileged" content without further complications. My theory is this: Once you've created an F5 APM session, the F5 holds onto your credentials, but doesn't send them to SharePoint until explicitly requested (via a 401 NTLM request). Somehow, Microsoft ISA Server circumvents this, and pre-emptively sends the credentials to the back-end, or otherwise does some invisible-to-me request mangling, so that you're logged in (from SharePoint's point of view) even on your first page view. So, my main question: Is there a way to replicate this behavior on the F5? A tangential question: Does my theory as to why it's happening seem plausible?313Views0likes3CommentsISA-like URI proxy
As we are preparing to deploy LTM/APM in our environment, and moving things from our ISA server to the F5 appliance, I'm running into a difficulty trying to get something to work. Currently, within the ISA, we have a site set up to user a specific URI to determine the route. For example, http://example.com/App1 will connect on the back end to the server app1.domain.local. With the ISA, the /App1/ seems to persist as expected throughout the session, even though on the back end I know that the connection would be going to app1.domain.local/{RestOfUri} rather than app1.domain.local/App1/{RestOfUri}. What I'm trying to do with the F5 is get that same type of experience by using part of the URI as a deciding factor for which pool to send the connection to. The problem is that I can do that the first time and change the HTTP::path to remove the /App1 from the url so it will hit the back end server properly, but once the response comes back, some of its links (e.g. "/{link}") will now be associated with the host root rather than root plus uri prefix (e.g. example.com/{link} vs example.com/App1/{link}). In this instance, we are not using the APM because one of the sites I'm trying to get working is part of our login process, and is non-authenticated. I've tried a number of different ideas through iRules, but I can't seem to find a way that will work consistently and give me the same experience I've had with the ISA. Any help would be greatly appreciated. Thanks, Michael160Views0likes1Comment