Forum Discussion

Rich_M_138850's avatar
Rich_M_138850
Icon for Nimbostratus rankNimbostratus
Dec 09, 2013

rewrite ntlm secure channel bind credentials

We have found an issue using Outlook Anywhere through F5 APM (no LTM) when the customer has a disjointed domain name and they use NTLM from the client to the F5. We raised this through support and have a bugid but no solution or workaround yet.

 

My example names below are from a test lab to demonstrate the problem.

 

dns domain name - rmtest.local netbios domain name - rmtest-uk

 

When the F5 tries to bind the secure channel to the DC using the NTLM machine account it assumes the netbios domain name is the same as the dns name and authenticates as rmtest

 

This fails and until a fix is released we have no workaround.

 

I wondered if we could place the DC into a pool and using a hosts entry on the F5 force the traffic through a virtual ip. Could we then use an irule to rewrite the authentication from rmtest to rmtest-uk ?

 

I have tried to use a stream profile with the text, hex and binary formats, none work.

 

I tried variations around example three of https://devcentral.f5.com/wiki/irules.TCP__payload.ashx but all unsuccessful.

 

To confirm this is frame 25 that needs changing in the attached pcap which returns a bind_nak as the DC says it can't find the domain\user.

 

I'm not sure if the lack of an LTM license is affecting this or just my inability to understand how to do this?

 

14 Replies