Bug ID 583113: NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM, SWG(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2

Opened: Mar 25, 2016
Severity: 3-Major


The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials. when HTTP_PROXY_REQUEST { if { [HTTP::uri] contains "disable" } { ACCESS::disable } }


It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.


Access profile of an SWG type, with an NTLM auth profile attached.


The following iRule works from HTTP_REQUEST when HTTP_REQUEST { if { [HTTP::uri] contains "disable" } { ACCESS::disable ECA::disable } }

Fix Information

When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin" Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."

Behavior Change