Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

NTLM message on F5

Hi,

I am configuring NTLM authentication on the F5 following this guide: https://devcentral.f5.com/articles/configuring-apm-client-side-ntlm-authentication

I have admin rights to create the machine account on AD, and once created, I can renew the password with no errors.

But the F5 is reporting the following messages constantly on /var/log/apm:

May 10 10:31:58 err nlad[5376]: 01620000:3: <0x2b323ffd0700> nlclnt[31750020a] init: Error [0xc0000011,NT_STATUS_END_OF_FILE] connecting to DC [ip address]

Any idea Why?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

K55889450: BIG-IP APM NTLM authentication for RDP client gateway and Microsoft Exchange Proxy are incompatible with the Microsoft workaround for MS17-010 (WannaCry / EternalBlue)

Microsoft has released security bulletin MS17-010 announcing a recommended software security patch to fix multiple vulnerabilities in SMBv1. A procedure to disable SMBv1 is listed as a workaround. When this workaround is implemented, NTLM authentication in BIG-IP APM fails for RDP client gateway deployments, and Microsoft Exchange ActiveSync proxy deployments.

As a result of this issue, you may encounter one or more of the following symptoms:

Users are unable to authenticate when accessing RDP or Exchange services using the BIG-IP APM system. The BIG-IP APM system generates messages to the /var/log/apm file that appear similar to the following example: 01620000:3: <0x55abeb70> nlclnt[129010a0a] init: Error [0xc0000011,NT_STATUS_END_OF_FILE] connecting to DC 10.10.10.10

0
Comments on this Answer
Comment made 16-May-2018 by a.basharat 296

Thanks, I have read now that 'know issue'. We are using the F5 as forward proxy and I am trying to configure NTLM on it following Kevin's article

Still I don't know what to do on the F5 to resolve the situation, as I can't touch the Domain controllers, Is there anything else I can do on the F5 ? or this can only be fixed applying certain patches to the Domain Controllers?

0
Comment made 16-May-2018 by S Blakely

You cannot fix this on the F5.
The fix has to be applied to the Domain Controllers and the workaround removed.

0
Comment made 16-May-2018 by andrew 195

I disagree with this statement, SMBv1 is very old, Microsoft have deprecated it, it isn't even installed on Server 16 by default, who knows if you will even be able to enable it at all on 19. The general feed back i get from the "WinTel" teams for the clients i work with is they will not re-enable SMBv1.

The correct answer is until F5 move to a newer version of samba NTLM isn't a viable option for most organisations. I pressed the F5 support people hard , as well as the sales/channel managers, hopefully if enough people do this getting newer version of samba in the stack will move up the priority queue.

I have just gone through this, my only viable option was to move to kerberos authentication.

cheers

0
Comment made 17-May-2018 by a.basharat 296

SMBv1 has been disabled on our servers as per an important security vulnerability remedy, so does that mean on this scenario I can NOT configure NTLM Authentication with the F5?

We are trying to achieve seamlessly authentication for domain joined machines, so if they have already authenticated in AD, the F5 doesn't challenge them twice but pull the credentials seamlessly and let them through -> Is this something we can achieve with another sort of Authentication on the F5 [as NTLM looks like is dropping]?

Thanks

0
Comment made 17-May-2018 by andrew 195

In that case you will want to use Kerberos, on the windows side i find this to be a pretty good resource on creating Kerb Keytabs https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/ . if you look in the APM documentation you will find what to do on the F5 side.

0
Comment made 30-May-2018 by a.basharat 296

To configure Kerberos Authentication on the F5, this article says that there is a Client Side and a Server Side Authentication.

A) The client side configuration is to follow this guide I believe, Can you confirm please?

B) What about the Server side configuration? or is it included on the previous section as well

If you could help on this please

0