Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP (all modules)
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF4, 11.5.2, 11.4.1 HF9
Opened: Aug 08, 2014 Severity: 2-Critical Related Article:
K16499
NTLM authentication feature requires at least one Domain Controller to be specified in the NTLM Auth Configuration Domain Controller FQDN list. This is as designed to prevent unwanted load on the server because NTLM authentication is performed on a per connection basis. There is no DC autodiscovery mechanism implemented for NTLM authentication, by design. To effect the feature, we need the administrator to specify particular servers. Having this list empty caused an unexpected behavior, in which authentication is not performed and yet is considered a success. The configuration of the Domain Controller for an NTLM authentication configuration is different from the configuration of the Domain Controller for an NTLM machine account. For the NTLM machine account, the BIG-IP system can automatically discover one of the available DCs using DNS method or the administrator can specify a DC. We are asking administrators to specify at least one Domain Controller for NTLM Auth configurations in the Domain Controller FQDN list.
misbehave with incorrect and unsupported configuration, and causes no authentication is being performed.
Domain Controller configuration is allowed to be empty which is both incorrect and unsupported.
None
In this release, the Domain Controller (DC) fully qualified domain name (FQDN) list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { dc01.example.com } machine-account-name mdc1 partition Common service-id 2 }