Symptoms

NTLM authentication feature requires at least one Domain Controller to be specified in the NTLM Auth Configuration Domain Controller FQDN list. This is as designed to prevent unwanted load on the server because NTLM authentication is performed on a per connection basis. There is no DC autodiscovery mechanism implemented for NTLM authentication, by design. To effect the feature, we need the administrator to specify particular servers. Having this list empty caused an unexpected behavior, in which authentication is not performed and yet is considered a success. The configuration of the Domain Controller for an NTLM authentication configuration is different from the configuration of the Domain Controller for an NTLM machine account. For the NTLM machine account, the BIG-IP system can automatically discover one of the available DCs using DNS method or the administrator can specify a DC. We are asking administrators to specify at least one Domain Controller for NTLM Auth configurations in the Domain Controller FQDN list.

Impact

misbehave with incorrect and unsupported configuration, and causes no authentication is being performed.

Conditions

Domain Controller configuration is allowed to be empty which is both incorrect and unsupported.

Workaround

None

Fix Information

In this release, the Domain Controller (DC) fully qualified domain name (FQDN) list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { dc01.example.com } machine-account-name mdc1 partition Common service-id 2 }

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips