Hello Fabian,
We don't tend to specify the version of NTLM for products. If we do, it will be in the product documentation.
For example, if you're using Service Desk (ITSM17.2) with EEM and using NTLM, then that specifies that it needs NTLM 1.0.
Eg:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/business-management/ca-service-management/17-2/administering/configuring-unified-self-service/authenticate-users.html"If you want to configure CA EEM with NTLM authentication, select the Enable NTLM(v1) Authentication check box."
Would it NOT work if you used NTLM 2.0? That's a different question. Maybe that documentation was just being needlessly constrained when it was written, because the version is typically not mentioned in the documentation.
We also don't use NTLM as the authentication mechanism for everything, so it
won't be relevant for all components. I think it is mainly for the IIS components(?). There is a workaround for components that run over Tomcat that
avoids using NTLM as it is NOT certified Eg:
https://knowledge.broadcom.com/external/article/72484/how-to-enable-ntlm-authentication-for-ca.htmlThere's also a random discussion I pulled from the internet on why you don't encounter NTLM as an authentication option as much. If you look at the authentication options that we use in Service Management for example, you'll see authenticated TLS used in many places, which kind of does away with the whole NTLM discussion. See here:
How to check whether NTLM v2 or v1 is used for authentication?
https://security.stackexchange.com/questions/129742/how-to-check-whether-ntlm-v2-or-v1-is-used-for-authenticationLong story short . . . you'll need to check each product documentation specifically. If it is not mentioned, I wouldn't be making any assumptions.
You can go to the Techdocs page and search for "NTLM" Eg:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/business-management/ca-service-management/17-2/search.html?q=ntlmFor PAM:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/intelligent-automation/automic-process-automation/04-3-04/search.html?q=ntlmAnd then repeat that for each other product you asked about. I know you mentioned you did a document search, but if you start at Techdocs for the relevant product and enter "NTLM" then you'll pull back the broadest range of locations where it is used for that product. In the above example it is used in the integration with EEM, but if you're not using EEM, then that's an easy thing to put a line through.
Although this answer is a bit of a cop out and I know that, if the client is thinking of discontinuing NTLM 1.0 (which has NOT reached end of life yet for Microsoft, except in a product by product basis), then I'd be asking their network manager to advise if anything for their Service Management products is running over NTLM 1.0. Put some traces on and see. If you can say "We only use it in X scenarios" then that may give you some easy choices to change to a different authentication option. If that is not possible, then on a test environment, test and turn off NTLM 1.0 and see what happens with just a higher version enabled. They really should have a good reason for turning this off.
Here's another random internet post I found on how to disable NTLM 1.0 and see what happens:
How can you tell if NTLM or NTLMv2 is used to authenticate?
https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/ISLY7NnqV-YOther than that, I think you'd need a Support issue to be logged. The Support person will probably want to know what product/components you have where the question is needed and as much additional information from your above reviews, because as above, only specific components within a product will use NTLM.
Thanks, Kyle_R.
Original Message:
Sent: 03-11-2020 09:00 AM
From: Fabian Kayser
Subject: 17.2 - Which NTLM Version is used?
Hello,
My customer wants to know which NTLM Version is used in the different products.
SDM
USS
CATALOG
PAM
xFlow
The TechDocs have no information about the version of NTLM. I looked through everyone. Do the products use the same version of NTLM or different?
The situation is that NTLM Version 1 will be disabled in few weeks in the customer environment. So we need to know which version is used.
Has anybody some information for me about the problem/topic?
This would really help us out here.
Regards,
Fabian
------------------------------
Assistant IT-Consultant
Fujitsu Technology Solutions GmbH
------------------------------