Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2, 11.4.1 HF9
Opened: Apr 15, 2015 Severity: 2-Critical
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if you had specifically required NTLMv2 in your policy, then the authentication will never succeed due to mismatch of the protocol.
Users cannot authenticate.
This occurs when NTLMv2 is set to required and NTLMv1 is denied in your ActiveDirectory policy.
None
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.