Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
17.1.0
Opened: Jul 28, 2016 Severity: 3-Major
BIG-IP can only identify users based on NTLM Auth credentials, not combined with Kerberos and Basic. Not all clients are capable of NTLM authentication (or behave erratically when HTTPS comes on top like Apple Safari on MacOS) and not all are capable of Kerberos authentication. BIG-IP benefits from the speed and security of Kerberos authentication while leaving the option for the client to fall back to NTLM if the client is not able to present a Kerberos token instead of falling back directly to insecure Basic authentication.
- performance lacks due to the regular authentications happening between the F5 SWG and the Active Directory. All requests for each element get a 407 back for another NTLM authentication that then leads to a communication between the SWG and the AD domain controller. If this were Kerberos the SWG would just need to verify if the Kerberos token is still valid. - If a client does not support NTLM it has no chance to authenticate although it might still support basic authentication.
In APM access policy, APM needs to have an option to authenticate user accounts with a 407 response and offer Kerberos, NTLM and Basic together.
None
None.