Layer7 API Management

Expand all | Collapse all

NTLM Authentication on Exchange server through External Gateway on DMZ and Internal Gateway on LAN

Jump to Best Answer
  • 1.  NTLM Authentication on Exchange server through External Gateway on DMZ and Internal Gateway on LAN

    Posted 08-29-2017 11:10 AM

    Hi,

    Our system is working with 2 gateways :


    - 1 in DMZ as external gateway that have access on internet
    - 1 in LAN as internal gateway with access to external gateway

     

    Our service call an Exchange Server which use NTLM for authentication (https://msdn.microsoft.com/fr-fr/library/windows/desktop/aa378749(v=vs.85).aspx) Challenge/Response protocol.

     

    NTLM Authentication requires multiple exchange between the client and the server.

     

    When we call the service on the internal gateway the service works with NTML authentication (3 call between my internal gateway and exchange server).


    But on the external gateway, on the second call from the external gateway we got this error :

     

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
    <soapenv:Fault>
    <faultcode>soapenv:Server</faultcode>
    <faultstring>Error in assertion processing</faultstring>
    <faultactor>https://apidev-eu-ext1.sanofi.com:7443/MI/1.0/EWS/Exchange.asmx</faultactor>
    <detail>
    <l7:policyResult status="javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/>
    </detail>
    </soapenv:Fault>
    </soapenv:Body>
    </soapenv:Envelope>

     

    If you have previous experience with NTLM and CA gateway?

     

    Regards.



  • 2.  Re: NTLM Authentication on Exchange server through External Gateway on DMZ and Internal Gateway on LAN

    Posted 08-29-2017 12:29 PM

    Hi GHaener,

     

    It seems you are encountering an issue related to a certificate validation.

     

    Did you had a look at your generated audit or log entries ?

     

    Regards



  • 3.  Re: NTLM Authentication on Exchange server through External Gateway on DMZ and Internal Gateway on LAN

    Posted 08-30-2017 08:20 AM

    Hi Nicolas,

     

    Here are some logs from the server :

    2017-08-29T14:53:37.020+0200 SEVERE  263 com.l7tech.server.SoapMessageProcessingServlet: javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId

    java.lang.ClassCastException: javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId

            at com.l7tech.server.transport.http.ConnectionId.equals(Unknown Source)

            at org.apache.http.pool.RouteSpecificPool.getFree(RouteSpecificPool.java:80)

            at org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:223)

            at org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:62)

            at org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:176)

            at org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:172)

            at org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:100)

            at org.apache.http.impl.conn.PoolingClientConnectionManager.leaseConnection(PoolingClientConnectionManager.java:212)

            at org.apache.http.impl.conn.PoolingClientConnectionManager$1.getConnection(PoolingClientConnectionManager.java:199)

            at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:456)

            at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)

            at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)

            at com.l7tech.common.http.prov.apache.components.f.getResponse(Unknown Source)

            at com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.a(Unknown Source)

            at com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.a(Unknown Source)

            at com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.checkRequest(Unknown Source)

            at com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)

            at com.l7tech.server.policy.assertion.composite.ServerOneOrMoreAssertion.checkRequest(Unknown Source)

            at com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)

            at com.l7tech.server.policy.assertion.composite.ServerAllAssertion.checkRequest(Unknown Source)

            at com.l7tech.server.policy.ServerPolicy.checkRequest(Unknown Source)

            at com.l7tech.server.policy.w.call(Unknown Source)

            at com.l7tech.server.policy.w.call(Unknown Source)

            at com.l7tech.common.log.HybridDiagnosticContext.doInContext(Unknown Source)

            at com.l7tech.server.policy.ServerPolicyHandle.checkRequest(Unknown Source)

            at com.l7tech.server.ao.b(Unknown Source)

            at com.l7tech.server.ao.a(Unknown Source)

            at com.l7tech.server.ao.access$700(Unknown Source)

           at com.l7tech.server.MessageProcessor.a(Unknown Source)

            at com.l7tech.server.MessageProcessor.processMessageNoAudit(Unknown Source)

            at com.l7tech.server.SoapMessageProcessingServlet.serviceNoAudit(Unknown Source)

            at com.l7tech.server.SoapMessageProcessingServlet.access$000(Unknown Source)

            at com.l7tech.server.a1.call(Unknown Source)

            at com.l7tech.server.audit.AuditContextFactory.doWithNewAuditContext(Unknown Source)

            at com.l7tech.server.SoapMessageProcessingServlet.service(Unknown Source)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

            at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)

            at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)

            at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:342)

            at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)

            at com.l7tech.server.transport.http.HttpNamespaceFilter.doFilter(Unknown Source)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

            at com.l7tech.server.WsdlFilter.doFilter(Unknown Source)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

            at com.l7tech.server.transport.http.ConnectionIdFilter.doFilter(Unknown Source)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

            at com.l7tech.server.transport.http.InputTimeoutFilter.doFilter(Unknown Source)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

            at com.l7tech.server.log.HybridDiagnosticContextServletFilter.doFilter(Unknown Source)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:181)

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

            at com.l7tech.server.tomcat.ResponseKillerValve.invoke(Unknown Source)

            at com.l7tech.server.tomcat.ConnectionIdValve.invoke(Unknown Source)

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:295)

            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)

            at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)

            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:396)

            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

            at java.lang.Thread.run(Thread.java:745)

    2017-08-29T14:53:37.026+0200 WARNING 263 com.l7tech.server.MessageProcessor: 3016: Request routing failed with status -1 (Undefined)

    2017-08-29T14:53:37.026+0200 WARNING 263 com.l7tech.server.message: Message was not processed: Undefined (-1)

     

    Also some audits :

    20170830 14:06:36.043WARNING3016Request routing failed with status -1 (Undefined)

    And the response of the service :

    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
    <soapenv:Fault>
    <faultcode>soapenv:Server</faultcode>
    <faultstring>Error in assertion processing</faultstring>
    <faultactor>https://apidev-eu-ext1.sanofi.com:7443/MI/1.0/EWS/Exchange.asmx</faultactor>
    <detail>
    <l7:policyResult
    status="javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/>
    </detail>
    </soapenv:Fault>
    </soapenv:Body>
    </soapenv:Envelope>

     

    How could I log if there is issue on certificate validation?

     

    Thank you.



  • 4.  Re: NTLM Authentication on Exchange server through External Gateway on DMZ and Internal Gateway on LAN
    Best Answer

    Posted 11-23-2018 03:36 PM

    A case was opened to address this issue and the problem related to a bug in the API Gateway which was resolved by applying the latest CR for 9.2. This fix was also incorporated in version 9.3 and 9.4 of the API Gateway.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support