When a Windows server or domain is configured to use NTLMv2 only (rejecting NTLMv1), attempts to use the test configuration functionality in the IWA direct realm will error. Below is an example of the error seen when attempting to use the test configuration function:
Also if the realm using these servers or domains is used for admin authentication access the user will not be able to log in to the proxy's management console. They will continually be prompted for authentication. Example admin authentication CPL:
A bug was discovered in that the ProxySG appliance will send NTLMv1 when using an IWA direct realm's test configuration functionality, and when using an IWA direct realm for admin authentication policy. This creates an issue when the Windows servers or domains are configured to only allow NTLMv2, and reject NTLMv1 (not the default). Below is a screenshot from a Windows 2012 server's local security policy showing the relevant policy that only allows NTLMv2:
With the above setting the Windows servers will not accept the NTLMv1 authentication attempts from the proxy.
The fix for this issue is for the ProxySG appliance to use NTLMv2 when authenticating a user as part of the IWA direct realm test configuration process, and for admin authentication which is used to log into the ProxySG appliance management console. Bug 215245 was opened to make this change.
Note: bug 215245 is resolved in SGOS 22.214.171.124 and newer releases.
One way to work around this issue is to change the Windows server or domain configuration to allow NTLMv1. The following screenshot shows the appropriate setting for allowing this:
With the above setting login attempts to the Proxy's management console through admin authentication using an IWA direct realm will work. Also the test configuration functionality will no longer error. Example:
Imported Document ID: 000023754
Subscribing will provide email updates when this Article is updated. Login is required.