We migrated CA Layer 7 API Gateway from V8.4 to V10 and also migrated all the policies and assertions. As part of the migration we migrated NTLM Implementation from existing V8.4 to V10.

Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password.

API Gateway Sits between Client and NTLM Server and implemented few Gateway security & Rate limit feature as part of the request. NTLM functionally is working perfectly fine in V8.4 but it is not working as expected after the migration to V10.

NTLM  handshake functionality is performed in 3 steps (Negotiate , Challenge and Authenticate) all 3 calls will be done in  sequence from client via api gateway to NTML server.  For NTLM to be successful, the same HTTPS connection is required between the 2nd and 3rd handshake requests But in V10 it is opening new connection and also additional generating different session cookie in 2 & 3 request due to this NTLM  server is treating it  has a completely new request and causing the NTLM authentication to fail. We need you help to identify why the gateway is opening new connection for 2 & 3 request and generating different session cookie for 2 & 3 request.