Access Gateway on Windows Crashes When NTLM Authentication Goes Through Load Balancers
Intermittent NTLM Failure on Chrome 81
Article ID: 189968
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
Customer experienced Intermittent NTLM Failure on Chrome.
When using 12.8sp2 access gateway, ntlm authentication works regardless Chrome is in incognito mode or not.
But using 12.8sp3+, ntlm authentication does not work when Chrome is in incognito mode.
IE works fine on 12.8sp3+ ntlm authentication.
When using 12.8sp2 access gateway, ntlm authentication works regardless Chrome is in incognito mode or not.
But using 12.8sp3+, ntlm authentication does not work when Chrome is in incognito mode.
IE works fine on 12.8sp3+ ntlm authentication.
Environment
Release : 12.8.03
Component : SITEMINDER SECURE PROXY SERVER
Cause
Failed transaction example:
================
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][user-agent received Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][Request for SSPI NTLM for Chain Authentication]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::IsMobileRequest][Validating handled device request]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][Request for SSPI NTLM Authentication]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmSSPIServer::getCredentialsNTLMAuth][Authorization header not present. Sending NTLM Challenge response]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmSSPIServer::getCredentialsNTLMAuth][Generating IWACHALLENGE cookie response header, as meta refresh]
The logs shows Chrome/81.0.4044.129 was possibly used, which is quite new release version.
In failed scenario, there is no SM_NTLMCTX being set, and browser stopped negotiating right after SMIWACHALLENGE was set.
After SMIWACHALLENGE was set, it is up to the browser to submit Credentials as part of ntlm negotiation.
A token like this was never sbmitted by browser to access gateway.
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==
================
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][user-agent received Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][Request for SSPI NTLM for Chain Authentication]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::IsMobileRequest][Validating handled device request]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][Request for SSPI NTLM Authentication]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmSSPIServer::getCredentialsNTLMAuth][Authorization header not present. Sending NTLM Challenge response]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmSSPIServer::getCredentialsNTLMAuth][Generating IWACHALLENGE cookie response header, as meta refresh]
The logs shows Chrome/81.0.4044.129 was possibly used, which is quite new release version.
In failed scenario, there is no SM_NTLMCTX being set, and browser stopped negotiating right after SMIWACHALLENGE was set.
After SMIWACHALLENGE was set, it is up to the browser to submit Credentials as part of ntlm negotiation.
A token like this was never sbmitted by browser to access gateway.
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==
Resolution
Based on google documentation:
https://support.google.com/chrome/thread/38855209?hl=en
"NTLM / Kerberos authentication disabled by default in Incognito mode and guest sessions
Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode and guest sessions in Chrome 81. To revert to the old behavior and allow ambient authentication, use the AmbientAuthenticationInPrivateModesEnabled policy.
"
Customer changed Chrome policy and now ntlm works again.
This root cause is not related to access gateway version. However, we do recommend customer to use 12.8sp3+ version access gateway with ACO UseNtlmMapForNtlmAuth=Yes.
There is known defect documented in release note:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes/service-packs/defects-fixed-in-12-8-03.html
Access Gateway on Windows Crashes When NTLM Authentication Goes Through Load Balancers
Feedback
Yes
No
Powered by
