K03010204: Configuring BIG-IP APM NTLM Authentication

K03010204: Configuring BIG-IP APM NTLM authentication

Non-Diagnostic

Original Publication Date: Feb 27, 2019

Update Date: Apr 6, 2020

Topic

You should consider using these procedures under the following conditions:

You want to configure NT LAN Manager (NTLM) authentication to authenticate Windows domain users. Your client devices are joined to the domain and users are logged in with their domain-user accounts. You have configured DNS on the BIG-IP system so it can resolve the Active Directory domain controllers. Your BIG-IP APM system's time is synced to the Windows domain controller.

Description

The purpose of this article is to configure NTLM authentication for domain-joined computers, for a seamless user experience when connecting to a BIG-IP APM virtual server. NTLM Authentication uses the provided credentials when the user logs in to their domain-joined computer and uses these credentials to authenticate the user to the BIG-IP APM system.

Prerequisites

You must meet the following prerequisite to use these procedures:

You have access to the command line and Configuration utility of the BIG-IP APM system.

Procedures

Creating an NTLM Machine Account Creating the NTLM Authentication Configuration Creating an iRule to enable External Client Authentication (ECA) Creating an Access Policy in the Visual Policy Editor to include NTLM checks Creating a virtual server Adding an ECA profile on the APM virtual server Adding your virtual server hostname to the Local Intranet Sites list

Creating an NTLM Machine Account

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. 2. Go to Access > Authentication > NTLM > Machine Account.

Note: For BIG-IP 12.x, go to Access Policy > Access Profiles > NTLM > Machine Account.

3. Select Create. 4. For Name, enter a name for the profile.

For example:

ntlm_machine

5. For Machine Account Name, enter the name of the machine account.

For example:

f5_ntlm_machine

6. For Domain FQDN, enter the qualified domain name for the domain you want to join.

For example:

example.com

7. For Domain Controller FQDN, enter the FQDN of the DC.

For example:

dc.example.com

8. For Admin User, enter a user account with administrative privileges.

For example:

Administrator

9. For Admin Password, enter the password for the Administrator user. 10. Select Join. 11. Verify on Windows Active Directory that a new Computer account with the same name in step 5 is created.

Creating the NTLM Authentication Configuration

This procedure uses the previously created NTLM Machine Account to create the NTLM Authentication Configuration.

Note: This configuration object name is referenced within the iRule later in this configuration.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to Access > Authentication > NTLM > Machine Account > NTLM Auth Configuration. 2.

Note: For BIG-IP 12.x, go to Access Policy > Access Profiles > NTLM > NTLM Auth Configuration.

3. Select Create. 4. For Name, enter a name for the profile.

For example:

ntlm_config

5. For Machine Account Name, select the previously created Machine Account:

For example:

f5_ntlm_machine

6. For Domain Controller FQDN List, enter the FQDN of the DC.

For example:

dc.example.com

7. Select Add. 8. Select Finished. 9. Log in to the Advanced Shell (bash) and review the /var/log/apm logs to verify that there are no errors, and that step 8 completed successfully.

Creating an iRule to enable External Client Authentication (ECA)

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to Local Traffic > iRules. 3. Select Create. 4. Enter the name of the iRule and add the following iRule text to the Definition box.

Note: In the following iRule, replace ntlm_config with the name of the NTLM Auth Configuration object you created in step 4 of the procedure Creating the NTLM Authentication Configuration.

when HTTP_REQUEST { if { [ACCESS::session data get session.ntlm.last.result] eq 1 } { ECA::disable } else { ECA::enable ECA::select select_ntlm:/Common/ntlm_config } }

5. Select Finished. Creating an Access Policy in the Visual Policy Editor to include NTLM checks

When completed, the Access Policy will have an NTLM Auth Result for successful authentication with domain-joined computers.

Impact of procedure: Performing the following procedure creates an NTLM check in the Visual Policy Editor (VPE) and should not have a negative impact on your system.

Note: This is for the NTLM Authentication only, you need to assign an LTM pool or APM resources.

1. Log in to the Configuration utility. 2. Go to Access > Profiles / Policies > Access Profiles (Per-Session Policies).

Note: For BIG-IP 12.x, go to Access Policy > Access Profiles > Access Profiles List.

3. Select Create. 4. For Name, enter the profile name.

For example:

ntlm_access_policy

5. In the Profile Type, select All. 6. Move a Language Choice to the Accepted Languages column and select Finished. 7. For the access profile just created, select Edit to modify the policy in the Visual Policy Editor. 8. Select the plus sign(+). 9. Select the Authentication tab. 10. Select NTLM Auth Result and select Save. 11. Select the successful NTLM Auth Result branch ending and change it from Deny to Allow. 12. Add the appropriate resources (for example, Advanced Resource Assign) to your access policy. 13. Select Apply Access Policy.

Creating a virtual server

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility. 2. Go to Local Traffic > Virtual Servers > Virtual Server List. 3. Select Create. 4. For Name, enter a name for the profile.

For example:

ntlm_vs

5. For Destination Address/Mask, enter the virtual server IP address. 6. For Service Port, enter 443 or select https. 7. For HTTP Profile, select an appropriate HTTP profile. 7.

For example:

http

8. In the Access Policy section, for Access Profile, select the access profile you created in Creating an Access Policy in the Visual Policy Editor to include NTLM checks. 9. In the Resources section, for iRules, select the iRule you created in Creating and apply iRule to enable ECA, and move it to the Enabled column. 10. Select Finished.

Adding an ECA profile on the APM virtual server

The system uses the ECA profile to obtain the users NTLM information from the client machine.

Impact of procedure: Adding an ECA profile to a virtual server should not have a negative impact on your system. However, running tmsh save sys config applies previous unsaved changes you made.

1. Log in to the command line. 2. Use the following command syntax, and replace with your virtual server name:

tmsh modify ltm virtual profiles add { eca }

For example:

tmsh modify ltm virtual ntlm_vs profiles add { eca }

3. Save the changes by entering the following command:

tmsh save sys config

Adding your virtual server hostname to the Local Intranet Sites list

If you do not add your local domain to the Local Intranet, the client device does not authenticate using NTLM when challenged by the BIG-IP APM system and the system continues to prompt you for credentials.

You must perform this by way of the group policy object (GPO) on the Domain Controller. Contact your Server Administrator and request that they add the virtual server hostname to the Local Intranet Sites list. Alternatively, for a single user on Internet Explorer, perform the following procedure:

Note: For other browsers, refer to the relevant documentation for how to add a local intranet site.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Start Internet Explorer. 2. Select the tools icon and select Internet options. 3. Select the Security tab. 4. Select Local intranet. 5. Select Sites. 6. Select Advanced.

7. 7. For Add this website to the zone, enter the URL of the HTTP site you are configuring for Kerberos.

For example:

https://app1.example.com.

8. Select Add.

Supplemental Information

K00306455: Using NTLM Pre-Authentication with Internet Explorer K54401337: Configuring an NTLM machine account on a non-default route domain K94250230: Error Message: 0162000f:4: Received invalid type of NTLMSSP message DevCentral: Configuring APM Client Side NTLM Authentication DevCentral: Leveraging BIG-IP APM for seamless client NTLM Authentication

Applies to:

Product: BIG-IP, BIG-IP APM 15.X.X, 14.X.X, 13.X.X, 12.X.X