NTLM authentication failed for users using Symantec Web Gateway in Proxy Mode.
Last Updated April 12, 2013
The browser displays the authentication pop-up but credentials are not accepted from the client machine.
Authentication NTLM 407 test might be successfull from the Symantec Web Gateway (SWG) Interface when in Proxy mode.
NetBios Over TCPIP is disabled on the Domain Controller Machine.
The operating system does not have the proper NTLM compatibility settings.
To enable NetBIOS Over TCPIP from the Network Interface Card Properties on the Domain Controller.
Open the Properties for the network interface in the Network And Dial-Up Connections folder.
Open the Properties for the TCP/IP protocol, click the Advanced tab, and from there, select the WINS tab.
Select Enable NetBIOS Over TCP/IP to enable it.
Ensure compatibility with NTLMv1 and NTLMv2
SWG Inline mode only supports NTLMv1. Some configuration changes might be required on some Operating Systems.
If you do not make the necessary changes, you may encounter the following issues:
Active Directory may deny user access due to failed authentication attempts. This user lockout can occur even if users were not presented with an authentication dialog box due to internal authentication failures.
Outlook or the Web browser may display a dialog box that requires users to log on.
Windows 7 and Vista and Inline mode
Windows Vista and Windows 7 require a group policy change to use the NTLMv1 protocol instead of NTLMv2.
Other versions of Windows can also have this issue if your organization's security policy does not support NTLMv1. If you do not make this change, it can affect authentication for users at your site.
You must perform this procedure on every computer that runs Windows Vista and Windows 7 in your network. You can use the Active Directory group policy to make this change for all computers.
To configure NTLM compatibility for Windows Vista and Windows 7
Click Start > All Programs > Accessories > Run and type secpol.msc in the open box, and then click OK.
Click Local Policies > Security Options > Network Security: LAN Manager authentication level.
Click SendLM& NTLM - use NTLMv2 session security if negotiated.
Windows XP SP3 and Proxy mode
Configuring NTLMv2 compatibility for Windows XP allows your Windows clients to only use NTLMv2 authentication and refuse other security.
If you change to this high level of security, it is not easy to connect to other Windows computers without equivalent security settings.
To configure NTLMv2 compatibility for Windows XP
Click Start > Settings > Control Panel.
Click the Performance and Maintenance category.
Click Administrative Tools.
Click Local Security Policy > Local Policies > Security Options > Network Security: LAN Manager authentication level.
Click SendLM&NTLM - use NTLMv2 session security if negotiated.