Bug ID 760141: NTLM authentication may fail after upgrade

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Opened: Feb 28, 2019

Severity: 2-Critical

Symptoms

In this release, there is a new version of the nlad daemon. This might cause NTLMv2 authentication to fail if your backend network's Domain Controller (DC) does not have the most current security patches. Those same failures do not happen in configurations using the earlier implementation (using Samba library) even if a DC is not updated.

Impact

Users may not be able to log onto the BIG-IP system.

Conditions

-- Your network's Microsoft Windows DCs do not have the most current security patches installed. -- NTLM authentication is configured, which might be relevant for plain NTLM auth, SWG proxy, or RDG.

Workaround

Update the Windows DCs to the latest security patches provided by Microsoft.

Fix Information

None

Behavior Change

There is a new implementation of the nlad daemon that uses a different call to MSRPC to authenticate a user: netr_logonSamLogonWithFlags. The original implementation used the Samba library to communicate to a Domain Controller (DC). Samba uses the netr_logonSamLogonEx call. The netr_logonSamLogonWithFlags call is more secure as it uses authenticators that contain schannel credentials. The credential is calculated and verified for every packet. The BIG-IP system does not use the Samba library anymore. Instead, the system runs MSRPC over TCP directly (ncacn_ip_tcp protocol sequence). The nlad process establishes communication channels to the DC for NTLM authentication.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips