Bug ID 667600: Default 'enabled' value for 'request-based-authentication' of Kerberos Auth agent leads to various issues.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jun 02, 2017
Severity: 3-Major
Related AskF5 Article:
K34203924

Symptoms

The default value for 'request-based-authentication' property of Kerberos Auth agent is 'enabled'. This can lead to various issues, so most configurations require 'request-based-authentication' to be disabled.

Impact

The 'request-based-authentication' property is 'enabled' by default, which can lead to various issues.

Conditions

Create a new Kerberos Auth agent in an Access Policy

Workaround

You can use either of these mitigations: -- Disable 'request-based-authentication' manually during creation of a Kerberos Auth agent. -- Modify the agent after it is created.

Fix Information

The default value for 'request-based-authentication' property of Kerberos Auth agent is now 'disabled'. Previously, the default was 'enabled'.

Behavior Change

The default value for 'request-based-authentication' property of Kerberos Auth agent is now 'disabled'. Previously, the default was 'enabled'. During upgrade, if you have any Kerberos Auth agents with RBA enabled, the value remains the same. However, when you create a new Kerberos Auth agent, 'request-based-authentication' is set to 'disabled' by default, and you must manually set it to 'enabled', if needed.