Forum Discussion
CVE-2024-21410
F5 does not support Extended Protection in SSL Bridging Mode. There is an RFE to support this, but it is rather unlikely that it is implemted for BIGIP Classic.
(Bug alias 758880) [RFE] [NTLM V2 SSO] Support MS IIS option "Extended protection" with value "required" during authentication
Good to know, Juergen. Looking at the linked Microsoft article it says:
"Extended Protection is supported in environments that use SSL Bridging under certain conditions. To enable Extended Protection in your Exchange environment using SSL Bridging, you must use the same SSL certificate on Exchange and your Load Balancers. Using different certificates cause Extended Protection Channel Binding Token check to fail and as a result, prevent clients from connecting to the Exchange server."
That seems feasible, to have the same cert on both ends. That should at least do for satisfying the requirements for the Channel Binding Token to work.
Do you have any insights why it is not supported? Cannot find the RFE here: https://my.f5.com/manage/s/bug-tracker.
Neither by ID 758880 nor by searching for the term "extended protection".
Thx in advance.
- Juergen_MangMar 27, 2024MVP
I have tried using the same certificate on both ends and it has not worked. I opened a ticket and the support gave me the mentioned bug id and RFE. It seems these are only F5 internally accessible.
I had unfortunately no time to debug into this issue further. My customer decided to move forward to modern authentication, disabling NTLM completely and do not invest time and money in legacy authentication mechanisms.
Unfortunately I have no access to Exchange LAB environment. Digging into this issue deeper would be very interesting!
Edit:
This is interesting: https://www.synacktiv.com/en/publications/dissecting-ntlm-epa-with-love-building-a-mitm-proxy.html
With enough time it should be feasible with an iRule.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com