Forum Discussion
Nimbostratusrewrite ntlm secure channel bind credentials
We have found an issue using Outlook Anywhere through F5 APM (no LTM) when the customer has a disjointed domain name and they use NTLM from the client to the F5. We raised this through support and have a bugid but no solution or workaround yet.
My example names below are from a test lab to demonstrate the problem.
dns domain name - rmtest.local netbios domain name - rmtest-uk
When the F5 tries to bind the secure channel to the DC using the NTLM machine account it assumes the netbios domain name is the same as the dns name and authenticates as rmtest
This fails and until a fix is released we have no workaround.
I wondered if we could place the DC into a pool and using a hosts entry on the F5 force the traffic through a virtual ip. Could we then use an irule to rewrite the authentication from rmtest to rmtest-uk ?
I have tried to use a stream profile with the text, hex and binary formats, none work.
I tried variations around example three of https://devcentral.f5.com/wiki/irules.TCP__payload.ashx but all unsuccessful.
To confirm this is frame 25 that needs changing in the attached pcap which returns a bind_nak as the DC says it can't find the domain\user.
I'm not sure if the lack of an LTM license is affecting this or just my inability to understand how to do this?
14 Replies
Rich_M_138850Not sure how to attach the pcap file. To confirm the frame shows as DCERPC, RPC_NETLOGON, port 445.Can you show the output of the TCP__payload for frame 25? Also hightlight the problem string and what you would like it updated to.
- Rich_M_138850
I'm not sure how you wanted me to gather this but below copied from the follow tcp stream in wireshark.
.....SMB%.........
?O..t... .G.......f.................R.f.R...&...u...P.I.P.E............f...,...................xV4.4......Eg.......]..........+.H`....D...............RMTEST.TESTF5..The RMTEST.TESTF5 in my case would read RMTEST-UK.TESTF5
Let me know if you require a different format.
- Kevin_Stewart
Employee
Have you tried setting the session.logon.last.domain session variable explicitly with the correct domain name?
- Rich_M_138850
Hi Kevin, I haven't tried that as the problem is the f5 binding a secure channel using the ntlm machine account to the AD before any user even tries to access.
Can you confirm where I could try that?
Many thanks
- Kevin_Stewart
In your NTLM SSO configuration there's a "Domain Source" field that's probably set to session.logon.last.domain. If you don't set this explicitly the SSO will use the specified NTLM Domain value. In your VPE, create a variable assignment agent and set session.logon.last.domain to the desired domain name value.
session.logon.last.domain = expr { "MYDOMAIN.COM" } - Rich_M_138850
We tried this setting but it has not helped.
I think that the setting may be useful if we can get the ntlm machine account to bind initially. Until the channel binds there is no ntlm auth of users and no subsequent SSO.
René_GeileCirrus
Hi,
can you tell me the bugid and any information which release might include the fix? I might be having a similar issue.
Netbios Domain is "SOME_THING" (with underline 0x5F) and DNS Domain is "something.other"
In /var/log/apm error messages from nlad are displayed: NT_STATUS_ACCESS_DENIED setting up secure pipe.
- Rich_M_138850
I understand from our SE that this will be resolved Q1 2015.
gstrasserGood to hear that, we have been waiting for more than 6 Months now.
regards
