APM Client Side NTLM Authentication – 3 Things to Watch

APM has a nice feature that allows seamless authentication for domain joined machines by leveraging NTLM and/or Kerberos authentication.  Michael Koyfman has a great article on DevCentral titled Leveraging BIG-IP APM for seamless client NTLM Authentication that will walk you through the steps.

I’ve implemented this a few times and I wanted to share some of my gotchas:

1. Ensure you follow the documentation and use the latest version of the iRule

I’ve run across the following error twice with customers where IE (or browser of choice) displays a blank page with a URI of /ntlm/auth and the following error in their LTM logs:

TCL error: /Common/ntlm_auth – bad sid value length

If you see this ensure the Virtual Server’s Source Port settings is set to Preserve Strict


AD authentication is HEAVILY tied to DNS so ensure you have the F5 DNS settings configured correctly by using nslookup and the adtest tool in the CLI.

3. iRule Order

If you notice that the NTLM Auth iRule is not being triggered and you have multiple iRules assigned to the virtual server consider reordering the iRules. ¬†Seems simple but if you’re new to iRules you may not have encountered this yet.