Access Policy Manager® (APM®) supports Microsoft Exchange clients that are configured to use NTLM, by checking NTLM outside of the APM session as needed. APM requires a machine account and an NTLM Auth configuration to perform these checks. APM requires an Exchange profile to support Microsoft Exchange clients, regardless of the authentication they are configured to use.
Microsoft software systems use NTLM as an integrated single sign-on (SSO) mechanism. However, in an Active Directory-based SSO scheme, Kerberos replaces NTLM as the default authentication protocol. NTLM is still used when a domain controller is not available or is unreachable, such as when the client is not Kerberos-capable, the server is not joined to a domain, or the user authenticates remotely over the web.
In Access Policy Manager®, you need to configure these elements:
You also need to configure a special account in Active Directory for Kerberos constrained delegation (KDC).
You can use the same machine account for two BIG-IP® systems when they are in an active-standby configuration. Otherwise, F5® recommends that you create a new NTLM machine account using the Access Policy Manager® user interface on each BIG-IP system.
Creating a new NTLM machine account on each BIG-IP system is helpful, for example, when two systems independently update their configurations without propagating them, or when you replicate the configuration into different BIG-IP systems using any configuration replication method. If you export a configuration and import it on another system, the machine account is included; however, after the import completes, you still need a new machine account and an NTLM authentication configuration that uses the new machine account on the target system.
Access Policy Manager® (APM®)supports Outlook Anywhere clients that are configured to use NTLM and HTTP Basic protocols independently. Typically, mobile devices use HTTP Basic authentication, while Outlook Anywhere clients can use both NTLM and HTTP Basic authentication. APM determines whether a client uses NTLM or HTTP Basic authentication and enforces the use of one or the other. After a client authenticates with NTLM or HTTP Basic, APM supports single sign-on with the back-end application or server using Kerberos constrained delegation (KCD).
C:\Users\Administrator> setspn -L apm4Registered ServicePrincipalNames for CN=apm4,OU=users,DC=yosemite,DC=lab,DC=dnet,DC=com: HTTP/apm4.yosemite.lab.dnet.com where apm4 is the name of the user account that you created.
A machine account
An NTLM Auth configuration
At least one Kerberos SSO configuration
Example access policy with actions based on whether NTLM authentication occurred