Bug ID 528768: Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6

Opened: Jun 18, 2015
Severity: 3-Major

Symptoms

The BIG-IP system applies standard fully qualified domain name (FQDN) validation for Active Directory server FQDN. Unfortunately, Microsoft allows non-standard FQDN as well. (https://technet.microsoft.com/en-us/library/cc959336.aspx) At Non RFC strictness level, Active Directory allows additional "_" characters to be used everywhere in the DNS name. AD server that has "_" in its DNS name cannot be used for domain join operation for creating machine account or for authentication AD server for NTLM authentication. Both Multibyte and Any Character strictness level predictably can cause problem to our internal code; we do not support them.

Impact

Cannot be used for domain join for machine account creation or for target authentication server for NTLM authentication.

Conditions

AD server DNS name contains "_".

Workaround

To work around the problem, you can rename the Active Directory server.

Fix Information

Now an Active Directory server DNS name that contains an underscore (_) can be used for a machine account and NTLM authentication.

Behavior Change