For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rich_M_138850's avatar
Rich_M_138850
Icon for Nimbostratus rankNimbostratus
Dec 09, 2013

rewrite ntlm secure channel bind credentials

We have found an issue using Outlook Anywhere through F5 APM (no LTM) when the customer has a disjointed domain name and they use NTLM from the client to the F5. We raised this through support and have a bugid but no solution or workaround yet.

 

My example names below are from a test lab to demonstrate the problem.

 

dns domain name - rmtest.local netbios domain name - rmtest-uk

 

When the F5 tries to bind the secure channel to the DC using the NTLM machine account it assumes the netbios domain name is the same as the dns name and authenticates as rmtest

 

This fails and until a fix is released we have no workaround.

 

I wondered if we could place the DC into a pool and using a hosts entry on the F5 force the traffic through a virtual ip. Could we then use an irule to rewrite the authentication from rmtest to rmtest-uk ?

 

I have tried to use a stream profile with the text, hex and binary formats, none work.

 

I tried variations around example three of https://devcentral.f5.com/wiki/irules.TCP__payload.ashx but all unsuccessful.

 

To confirm this is frame 25 that needs changing in the attached pcap which returns a bind_nak as the DC says it can't find the domain\user.

 

I'm not sure if the lack of an LTM license is affecting this or just my inability to understand how to do this?

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
microsoft
security

14 Replies

Show More
  • Algebraic_Mirror's avatar
    Algebraic_Mirror
    Icon for Cirrostratus rankCirrostratus
    Jul 28, 2015

    Has anyone heard any update on this? I can't find any SOLs or release notes that would confirm this is fixed, and I know it's not fixed in 11.5.1 HF8, because I just ran into it there today. And a friend of mine also ran into it just a month or two ago at a different company, and it is holding up an APM/Exchange 2013 project.

     

  • matt_64003's avatar
    matt_64003
    Icon for Cirrus rankCirrus
    Jan 20, 2016

    There is a workaround available in 11.6 HF6 - you enter your NetBIOS domain name as a DB value:

     

    tmsh modify sys db apm.netbios.domainname value myNetBiosName

     

    This fixed the issue for me in 11.6. I haven't tested 12.0 but apparently the issue is fixed in that release and the workaround is not required.