Last Modified: Nov 07, 2022
Known Affected Versions:
15.0.0, 15.0.1, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
Opened: Feb 28, 2019 Severity: 2-Critical
In this release, there is a new version of the nlad daemon. This might cause NTLMv2 authentication to fail if your backend network's Domain Controller (DC) does not have the most current security patches. Those same failures do not happen in configurations using the earlier implementation (using Samba library) even if a DC is not updated.
Users may not be able to log onto the BIG-IP system.
-- Your network's Microsoft Windows DCs do not have the most current security patches installed. -- NTLM authentication is configured, which might be relevant for plain NTLM auth, SWG proxy, or RDG.
Update the Windows DCs to the latest security patches provided by Microsoft.
There is a new implementation of the nlad daemon that uses a different call to MSRPC to authenticate a user: netr_logonSamLogonWithFlags. The original implementation used the Samba library to communicate to a Domain Controller (DC). Samba uses the netr_logonSamLogonEx call. The netr_logonSamLogonWithFlags call is more secure as it uses authenticators that contain schannel credentials. The credential is calculated and verified for every packet. The BIG-IP system does not use the Samba library anymore. Instead, the system runs MSRPC over TCP directly (ncacn_ip_tcp protocol sequence). The nlad process establishes communication channels to the DC for NTLM authentication.