Bug ID 667600: Default 'enabled' value for 'request-based-authentication' of Kerberos Auth agent leads to various issues.

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jun 02, 2017

Severity: 3-Major

Related Article: K34203924

Symptoms

The default value for 'request-based-authentication' property of Kerberos Auth agent is 'enabled'. This can lead to various issues, so most configurations require 'request-based-authentication' to be disabled.

Impact

The 'request-based-authentication' property is 'enabled' by default, which can lead to various issues.

Conditions

Create a new Kerberos Auth agent in an Access Policy

Workaround

You can use either of these mitigations: -- Disable 'request-based-authentication' manually during creation of a Kerberos Auth agent. -- Modify the agent after it is created.

Fix Information

The default value for 'request-based-authentication' property of Kerberos Auth agent is now 'disabled'. Previously, the default was 'enabled'.

Behavior Change

The default value for 'request-based-authentication' property of Kerberos Auth agent is now 'disabled'. Previously, the default was 'enabled'. During upgrade, if you have any Kerberos Auth agents with RBA enabled, the value remains the same. However, when you create a new Kerberos Auth agent, 'request-based-authentication' is set to 'disabled' by default, and you must manually set it to 'enabled', if needed.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips