K24341710: Exchange users fail to connect through APM after applying workaround for MS17-010 (WannaCry / EternalBlue)

Diagnostic

Original Publication Date: Jul 10, 2019

Update Date: Jul 10, 2019

Issue

Description

After applying the Microsoft Windows workaround for MS17-010 (WannaCry / EternalBlue) to disable SMBv1, exchanges users are unable to connect to the exchange servers. The following logs can be observed in the /var/log/apm file: eca[13390]: 0162000e:3: Could not verify user () credential (STATUS_NO_LOGON_SERVERS) eca[13390]: 01620002:4: [Common] Authentication with configuration (/Common /Exchange2016.app/exch_ntlm_combined_https) result: (R90MLUMK): Fail (STATUS_NO_LOGON_SERVERS) nlad[13704]: 01620000:3: <0x2ae8c998ef40> clntsvc: error [0xc000005e, NT_STATUS_NO_LOGON_SERVERS] queuing logon request

Environment

Users accessing the Microsoft Exchange server via the BIG-IP APM Recently patched Windows Exchange Server? NTLM authentication is configured on the BIG-IP APM

Cause

After applying the Microsoft workaround for MS17-010 (WannaCry / EternalBlue) to disable SMBv1, NTLM authentication fails.

Recommended Actions

There are 3 options to solving this issue:

Do not employ the Microsoft workaround by re-enabling SMBv1 on the Windows server and installing the recommended Windows update (MS17-010 (WannaCry / EternalBlue)) instead. Reconfigure Exchange CAS pool to use Kerberos Constrained Delegation SSO rather than NTLM. This will ensure that NTLM Passthrough is not used. Upgrade the BIG-IP APM to 14.1.0.5 or a later version or 15.0.0.

Additional Information Beginning in BIG-IP APM 14.1.0.5 (on the 14.1.0 branch) and BIG-IP APM 15.0.0, BIG-IP APM software no longer uses SMBv1 in the implementation of NT LAN Manager (NTLM) authentication. NTLM passthrough authentication works using Netlogon protocol over TCP directly (MSRPC over TCP). All issues related to SMB protocol are not applicable anymore. In 2014, Microsoft officially deprecated the SMBv1 protocol, and, from Windows 10 version 1709 onward, SMBv1 is no longer installed by default. For Windows server and other versions, refer to SMBv1 is not installed by default in Windows 10.

Note: The previous link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.

Access Policy Manager supports Outlook Anywhere clients that are configured to use NTLM and HTTP Basic protocols independently. Typically, mobile devices use HTTP Basic authentication, while Outlook Anywhere clients can use both NTLM and HTTP Basic authentication. BIG-IP APM determines whether a client uses NTLM or HTTP Basic authentication and enforces the use of one or the other. After a client authenticates with NTLM or HTTP Basic, BIG-IP APM supports single sign-on with the back-end application or server using Kerberos constrained delegation (KCD).

Supplemental Information

Related Content

K55889450: BIG-IP APM NTLM authentication for RDP client gateway and Microsoft Exchange Proxy are incompatible with the Microsoft workaround for MS17-010 (WannaCry / EternalBlue) Configuring APM Client Side NTLM Authentication on DevCentral Microsoft document on Pass-Through Authentication Note: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

Applies to:

Product: BIG-IP, BIG-IP APM 14.1.0, 14.0.0, 13.1.1, 13.1.0, 12.1.4, 12.1.3, 12.1.2, 12.0.X, 11.6.X, 11.5.X