APM has a nice feature that allows seamless authentication for domain joined machines by leveraging NTLM and/or Kerberos authentication. Michael Koyfman has a great article on DevCentral titled Leveraging BIG-IP APM for seamless client NTLM Authentication that will walk you through the steps.
I’ve implemented this a few times and I wanted to share some of my gotchas:
1. Ensure you follow the documentation and use the latest version of the iRule
I’ve run across the following error twice with customers where IE (or browser of choice) displays a blank page with a URI of /ntlm/auth and the following error in their LTM logs:
TCL error: /Common/ntlm_auth – bad sid value length
If you see this ensure the Virtual Server’s Source Port settings is set to Preserve Strict
2. DNS, DNS, DNS
AD authentication is HEAVILY tied to DNS so ensure you have the F5 DNS settings configured correctly by using nslookup and the adtest tool in the CLI.
3. iRule Order
If you notice that the NTLM Auth iRule is not being triggered and you have multiple iRules assigned to the virtual server consider reordering the iRules. Seems simple but if you’re new to iRules you may not have encountered this yet.
One thought on “APM Client Side NTLM Authentication – 3 Things to Watch”
Rather than just reordering in the GUI, I like to have a little more control over the process of when iRules fire, so I establish a priority at the top of each iRule. Default is 500, and the GUI does ordering outside of this priority number. If you set all your iRules in a desired sequence (I usually start with 10, 20, 30 so I can slide other rules in as necessary) then GUI order doesn’t matter.