Symptoms

Internally, the BIG-IP system assumes that the NetBIOS name always matches the prefix of the DNS name. For example, if the domain name is sales.company.com, then the NetBIOS name must be SALES. If the NetBIOS name does not meet this assumption, NTLM and/or Kerberos front-end authentication never work even when configured correctly. Under a Disjoint Namespace Scenario deployment, the NetBIOS name and prefix of the DNS name do not match, and the BIG-IP system cannot establish an SCHANNEL with the Active Directory server.

Impact

NTLM front-end authentication does not work as there is no SCHANNEL to Active Directory which can be used to verify the user's credentials.

Conditions

NetBIOS name does not match with the suffix of the DNS name.

Workaround

Change the ActiveDirectory deployment to match its NetBIOS and DNS name.

Fix Information

BIG-IP 11.6.0 HF6 introduced the Apm.NetBIOS.DomainName db variable as a global NetBIOS domain name. When the variable is defined with a non-default value, that value will be used as NetBIOS domain name during configuration. When the variable is defined with the default value (which is "<null>"), then APM reverts to extracting NetBIOS domain name from FQDN. This means when this db variable is set with a non-default value, only one NetBIOS domain is usable. Note: Support for the Apm.NetBIOS.DomainName db variable is discontinued in version 12.0.0 and later. For BIG-IP 12.0.0, when you create a Machine Account in APM, APM performs a domain join, retrieves the NetBIOS domain name from the Active Directory server, stores it in the configuration, and uses it for NTLM authentication. To use the new behavior, delete the existing machine account and recreate it. Otherwise, the machine account continues to obtain the NetBIOS name the way it did before version 12.0.0.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips