Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 13.0.0
Fixed In:
13.1.0, 13.0.0 HF1, 12.1.3.2
Opened: Nov 22, 2016 Severity: 3-Major
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.
Backend server access is restricted.
Set-up SWG for auth with ntlm credentials Access a proxied resource which also requires ntlm auth
None
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.