CA Service Management

 View Only
  • 1.  17.2 - Which NTLM Version is used?

    Posted Mar 11, 2020 09:00 AM

    Hello,

    My customer wants to know which NTLM Version is used in the different products.

    SDM
    USS
    CATALOG
    PAM
    xFlow

    The TechDocs have no information about the version of NTLM. I looked through everyone. Do the products use the same version of NTLM or different?

    The situation is that NTLM Version 1 will be disabled in few weeks in the customer environment. So we need to know which version is used.

    Has anybody some information for me about the problem/topic?

    This would really help us out here.

    Regards,
    Fabian



    ------------------------------
    Assistant IT-Consultant
    Fujitsu Technology Solutions GmbH
    ------------------------------


  • 2.  RE: 17.2 - Which NTLM Version is used?
    Best Answer

    Broadcom Employee
    Posted Mar 12, 2020 01:25 AM
    Hello Fabian,

    We don't tend to specify the version of NTLM for products. If we do, it will be in the product documentation.

    For example, if you're using Service Desk (ITSM17.2) with EEM and using NTLM, then that specifies that it needs NTLM 1.0.

    Eg:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/business-management/ca-service-management/17-2/administering/configuring-unified-self-service/authenticate-users.html
    "If you want to configure CA EEM with NTLM authentication, select the Enable NTLM(v1) Authentication check box."

    Would it NOT work if you used NTLM 2.0? That's a different question. Maybe that documentation was just being needlessly constrained when it was written, because the version is typically not mentioned in the documentation.

    We also don't use NTLM as the authentication mechanism for everything, so it won't be relevant for all components. I think it is mainly for the IIS components(?). There is a workaround for components that run over Tomcat that avoids using NTLM as it is NOT certified Eg:
    https://knowledge.broadcom.com/external/article/72484/how-to-enable-ntlm-authentication-for-ca.html

    There's also a random discussion I pulled from the internet on why you don't encounter NTLM as an authentication option as much. If you look at the authentication options that we use in Service Management for example, you'll see authenticated TLS used in many places, which kind of does away with the whole NTLM discussion. See here:
    How to check whether NTLM v2 or v1 is used for authentication?
    https://security.stackexchange.com/questions/129742/how-to-check-whether-ntlm-v2-or-v1-is-used-for-authentication

    Long story short . . . you'll need to check each product documentation specifically.  If it is not mentioned, I wouldn't be making any assumptions. 

    You can go to the Techdocs page and search for "NTLM" Eg:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/business-management/ca-service-management/17-2/search.html?q=ntlm

    For PAM:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/intelligent-automation/automic-process-automation/04-3-04/search.html?q=ntlm

    And then repeat that for each other product you asked about. I know you mentioned you did a document search, but if you start at Techdocs for the relevant product and enter "NTLM" then you'll pull back the broadest range of locations where it is used for that product. In the above example it is used in the integration with EEM, but if you're not using EEM, then that's an easy thing to put a line through.

    Although this answer is a bit of a cop out and I know that, if the client is thinking of discontinuing NTLM 1.0 (which has NOT reached end of life yet for Microsoft, except in a product by product basis), then I'd be asking their network manager to advise if anything for their Service Management products is running over NTLM 1.0. Put some traces on and see. If you can say "We only use it in X scenarios" then that may give you some easy choices to change to a different authentication option. If that is not possible, then on a test environment, test and turn off NTLM 1.0 and see what happens with just a higher version enabled. They really should have a good reason for turning this off.

    Here's another random internet post I found on how to disable NTLM 1.0 and see what happens:
    How can you tell if NTLM or NTLMv2 is used to authenticate?
    https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/ISLY7NnqV-Y

    Other than that, I think you'd need a Support issue to be logged. The Support person will probably want to know what product/components you have where the question is needed and as much additional information from your above reviews, because as above, only specific components within a product will use NTLM. 


    Thanks, Kyle_R.







  • 3.  RE: 17.2 - Which NTLM Version is used?

    Posted Mar 12, 2020 02:56 AM
    Hello Kyle,

    Thank you for your detailed answer. We'll have to see if it helps us with the problem.

    We will get back to you after searching and testing.

    Regards,
    Fabian

    ------------------------------
    Assistant IT-Consultant
    Fujitsu Technology Solutions GmbH
    ------------------------------



  • 4.  RE: 17.2 - Which NTLM Version is used?

    Posted Mar 25, 2020 04:09 AM

    Hello Kyle,

    for your information. We have disabled NTLM V1 in the development environment. Only NTLM V2 is still active.

    We have made tests with the result that everything works!!!

    So, it´s possible to disable NTLM V1 and activate NTLM V2 because everything goes on like before.

    Regards,
    Fabian



    ------------------------------
    Assistant IT-Consultant
    Fujitsu Technology Solutions GmbH
    ------------------------------