User fails to browse a website and gets 'page cannot be displayed' or timeout.
User authenticates using NTLM protocol.
User getting HTTP 500 Internal Server error.
Release : 6.7 and 7.x.
Component : Authentication.
The user or the browser is creating a new TCP session when responding the NTLM Type 3 message.
Below is a packet capture that shows the issue.
Frame 749 - The user starts the NTLM authentication process by sending NTLM Type 1 using source port 51206.
Frame 750 - Proxy responds with NTLM Type 2 using the same source port 51206.
Frame 765 - User responds with NTLM Type 3 that carries the user credentials but uses a different source port (60290).
Frame 767 - Proxy responds with 500 Internal Server error because NTLM authentication breaks due to a different source port used when the user is sending NTLM Type 3.
As a comparison, below is the packet capture the shows the working authentication.
Frame 530 - User starts the NTLM authentication process by sending NTLM Type 1 using source port 50137.
Frame 532 - Proxy respond with NTLM Type 2 using the same source port 50137.
Frame 534 - User respond with NTLM Type 3 that carries the user credentials and still using the same source port (50137).
Frame 535 - Proxy respond with 200 OK, no issue with authentication.
This is not an issue with the proxy.
Further investigation needs to be done on the client side or the network.