Bug ID 629921: [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.1, 12.1.2, 12.1.3,

Fixed In:
13.1.0, 13.0.0 HF1,

Opened: Nov 22, 2016

Severity: 3-Major


With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.


Backend server access is restricted.


Set-up SWG for auth with ntlm credentials Access a proxied resource which also requires ntlm auth



Fix Information

Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips