ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Regarding NTLM Issue in API Gateway V10.

book

Article ID: 225293

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We migrated CA Layer 7 API Gateway from V8.4 to V10 and also migrated all the policies and assertions. As part of the migration we migrated NTLM Implementation from existing V8.4 to V10.

Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password.

API Gateway Sits between Client and NTLM Server and implemented few Gateway security & Rate limit feature as part of the request. NTLM functionally is working perfectly fine in V8.4 but it is not working as expected after the migration to V10.

NTLM  handshake functionality is performed in 3 steps (Negotiate , Challenge and Authenticate) all 3 calls will be done in  sequence from client via api gateway to NTML server.  For NTLM to be successful, the same HTTPS connection is required between the 2nd and 3rd handshake requests But in V10 it is opening new connection and also additional generating different session cookie in 2 & 3 request due to this NTLM  server is treating it  has a completely new request and causing the NTLM authentication to fail. We need you help to identify why the gateway is opening new connection for 2 & 3 request and generating different session cookie for 2 & 3 request.

 

Environment

Release : 10.1

Component : API GATEWAY

Resolution

Hotfix created which can be requested by  contacting support  , this fix  will be included in next CR for GW10 and GW10.1