Windows servers or domains requiring NTLMv2 only will break realm test configuration functionality and proxy management console access using an IWA direct realm.

book

Article ID: 168430

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When a Windows server or domain is configured to use NTLMv2 only (rejecting NTLMv1), attempts to use the test configuration functionality in the IWA direct realm will error. Below is an example of the error seen when attempting to use the test configuration function:
Failed test configuration example
Also if the realm using these servers or domains is used for admin authentication access the user will not be able to log in to the proxy's management console.  They will continually be prompted for authentication.  Example admin authentication CPL:

<Admin>
    authenticate(ms2012) authenticate.force(no) 

<Admin>
    ALLOW admin.access=(READ, WRITE)

While investigating these problem you will see the following LSA debug log entries, which indicate the user's password is invalid even though the password is good:

2157.817 LW_Error_to_auth_result(), mapping LW_ERROR_INVALID_PASSWORD 40069 to AUTH_E_CREDENTIALS_MISMATCH 2425130
2157.817 GSSAPI:  Error in gss_accept_sec_context() at g_accept_sec_context.c:225 [major: 851968, minor: 40069]
2157.817 GSSAPI:  gss_accept_sec_context() at g_accept_sec_context.c:223 [Minor: 40069]
2157.817 TRACE: lsass - [ntlm_gss_accept_sec_context() gssntlm.c:1201] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmClientAcceptSecurityContext() acceptsecctxt.c:93] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmTransactAcceptSecurityContext() clientipc.c:222] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmServerAcceptSecurityContext() acceptsecctxt.c:179] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmValidateResponse() acceptsecctxt.c:839] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:438] Failed to authenticate user (name = 'administrator') -> error = 40069, symbol = LW_ERROR_INVALID_PASSWORD, client pid = 4194862
2157.816 TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:375] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.815 TRACE: lsass - [AD_AuthenticateUserEx() provider-main.c:1641] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.815 NTLM authentication failed: 0xC000006A(-1073741718)

Cause

A bug was discovered in that the ProxySG appliance will send NTLMv1 when using an IWA direct realm's test configuration functionality, and when using an IWA direct realm for admin authentication policy.  This creates an issue when the Windows servers or domains are configured to only allow NTLMv2, and reject NTLMv1 (not the default).  Below is a screenshot from a Windows 2012 server's local security policy showing the relevant policy that only allows NTLMv2:
Local security setting that only allows NTLMv2
With the above setting the Windows servers will not accept the NTLMv1 authentication attempts from the proxy.

Resolution

The fix for this issue is for the ProxySG appliance to use NTLMv2 when authenticating a user as part of the IWA direct realm test configuration process, and for admin authentication which is used to log into the ProxySG appliance management console.  Bug 215245 was opened to make this change.

Note: bug 215245 is resolved in SGOS 6.5.7.6 and newer releases.

Workaround

One way to work around this issue is to change the Windows server or domain configuration to allow NTLMv1.  The following screenshot shows the appropriate setting for allowing this:
Local policy setting that allows NTLMv1
With the above setting login attempts to the Proxy's management console through admin authentication using an IWA direct realm will work.  Also the test configuration functionality will no longer error.  Example:
Working text configuration example