Last Modified: Oct 04, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1
Opened: Jun 30, 2024 Severity: 3-Major
The NT LAN Manager (NTLM) Single Sign-On (SSO) fails with “411 required Length” response sent to the client.
The Transfer-Encoding and Content-Length headers are not sent to the NTLM server. SSO fails and the backend NTLM server cannot be accessed.
- Stream profile should be attached to the VS - NTLM SSO should be enabled on the Access profile
The following iRule workaround can be applied: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events enable } when HTTP_REQUEST { # Disable the stream filter for requests STREAM::disable } when HTTP_RESPONSE { if { [HTTP::header value Content-Type] contains "text"} { STREAM::expression "@https://internal.com@https://external.com@" STREAM::enable } }
None