ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Regarding NTLM Issue in API Gateway V10.
Article ID: 225293
CA API Gateway
We migrated CA Layer 7 API Gateway from V8.4 to V10 and also migrated all the policies and assertions. As part of the migration we migrated NTLM Implementation from existing V8.4 to V10.
Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password.
API Gateway Sits between Client and NTLM Server and implemented few Gateway security & Rate limit feature as part of the request. NTLM functionally is working perfectly fine in V8.4 but it is not working as expected after the migration to V10.
NTLM handshake functionality is performed in 3 steps (Negotiate , Challenge and Authenticate) all 3 calls will be done in sequence from client via api gateway to NTML server. For NTLM to be successful, the same HTTPS connection is required between the 2nd and 3rd handshake requests But in V10 it is opening new connection and also additional generating different session cookie in 2 & 3 request due to this NTLM server is treating it has a completely new request and causing the NTLM authentication to fail. We need you help to identify why the gateway is opening new connection for 2 & 3 request and generating different session cookie for 2 & 3 request.
Release : 10.1
Component : API GATEWAY
Hotfix created which can be requested by contacting support , this fix will be included in next CR for GW10 and GW10.1