Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP APM, SWG
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2
Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2
Opened: Mar 25, 2016
Severity: 3-Major
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials. when HTTP_PROXY_REQUEST { if { [HTTP::uri] contains "disable" } { ACCESS::disable } }
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.
Access profile of an SWG type, with an NTLM auth profile attached.
The following iRule works from HTTP_REQUEST when HTTP_REQUEST { if { [HTTP::uri] contains "disable" } { ACCESS::disable ECA::disable } }
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin" Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."
