search cancel

Intermittent NTLM Failure on Chrome 81


Article ID: 189968


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER


Customer experienced Intermittent NTLM Failure on Chrome.
When using 12.8sp2 access gateway, ntlm authentication works regardless Chrome is in incognito mode or not.
But using 12.8sp3, ntlm authentication does not work when Chrome is in incognito mode.
IE works fine on 12.8sp3 ntlm authentication.


Release : 12.8.03



Failed transaction example:
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][user-agent received Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][Request for SSPI NTLM for Chain Authentication]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::IsMobileRequest][Validating handled device request]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][SmNtc::getCredentials][Request for SSPI NTLM Authentication]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmSSPIServer::getCredentialsNTLMAuth][Authorization header not present. Sending NTLM Challenge response]
[04/29/2020][14:05:18][2312][6064][77aa059a-77cfa22a-d13f2064-8dce9c03-09200743-f98][CSmSSPIServer::getCredentialsNTLMAuth][Generating IWACHALLENGE cookie response header, as meta refresh]

The logs shows Chrome/81.0.4044.129 was possibly used, which is quite new release version.
In failed scenario, there is no SM_NTLMCTX being set, and browser stopped negotiating right after SMIWACHALLENGE was set.
After SMIWACHALLENGE was set, it is up to the browser to submit Credentials as part of ntlm negotiation.
A token like this was never sbmitted by browser to access gateway.


Based on google documentation:

"NTLM / Kerberos authentication disabled by default in Incognito mode and guest sessions
Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode and guest sessions in Chrome 81. To revert to the old behavior and allow ambient authentication, use the AmbientAuthenticationInPrivateModesEnabled policy.
Customer changed Chrome policy and now ntlm works again.

This root cause is not related to access gateway version. However, we do recommend customer to use 12.8sp3 version access gateway with ACO UseNtlmMapForNtlmAuth=Yes.
There is known defect documented in release note:

Access Gateway on Windows Crashes When NTLM Authentication Goes Through Load Balancers