When a Windows server or domain is configured to use NTLMv2 only (rejecting NTLMv1), attempts to use the test configuration functionality in the IWA direct realm will error. Below is an example of the error seen when attempting to use the test configuration function:
Also if the realm using these servers or domains is used for admin authentication access the user will not be able to log in to the proxy's management console. They will continually be prompted for authentication. Example admin authentication CPL:
ALLOW admin.access=(READ, WRITE)
While investigating these problem you will see the following LSA debug log entries, which indicate the user's password is invalid even though the password is good:
2157.817 LW_Error_to_auth_result(), mapping LW_ERROR_INVALID_PASSWORD 40069 to AUTH_E_CREDENTIALS_MISMATCH 2425130
2157.817 GSSAPI: Error in gss_accept_sec_context() at g_accept_sec_context.c:225 [major: 851968, minor: 40069]
2157.817 GSSAPI: gss_accept_sec_context() at g_accept_sec_context.c:223 [Minor: 40069]
2157.817 TRACE: lsass - [ntlm_gss_accept_sec_context() gssntlm.c:1201] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmClientAcceptSecurityContext() acceptsecctxt.c:93] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmTransactAcceptSecurityContext() clientipc.c:222] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmServerAcceptSecurityContext() acceptsecctxt.c:179] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [NtlmValidateResponse() acceptsecctxt.c:839] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.816 TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:438] Failed to authenticate user (name = 'administrator') -> error = 40069, symbol = LW_ERROR_INVALID_PASSWORD, client pid = 4194862
2157.816 TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:375] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.815 TRACE: lsass - [AD_AuthenticateUserEx() provider-main.c:1641] Error code: 40069 (symbol: LW_ERROR_INVALID_PASSWORD)
2157.815 NTLM authentication failed: 0xC000006A(-1073741718)
A bug was discovered in that the ProxySG appliance will send NTLMv1 when using an IWA direct realm's test configuration functionality, and when using an IWA direct realm for admin authentication policy. This creates an issue when the Windows servers or domains are configured to only allow NTLMv2, and reject NTLMv1 (not the default). Below is a screenshot from a Windows 2012 server's local security policy showing the relevant policy that only allows NTLMv2:
With the above setting the Windows servers will not accept the NTLMv1 authentication attempts from the proxy.
The fix for this issue is for the ProxySG appliance to use NTLMv2 when authenticating a user as part of the IWA direct realm test configuration process, and for admin authentication which is used to log into the ProxySG appliance management console. Bug 215245 was opened to make this change.
Note: bug 215245 is resolved in SGOS 22.214.171.124 and newer releases.