ProxySG & Advanced Secure Gateway

Expand all | Collapse all

I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

  • 1.  I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Posted 09-18-2020 06:08 AM
    Hi;

    In an IWA direct realm, the client sends the NTLM negotiate "Type 1 message". However, no NTLM Challenge comes back from the Proxy SG. As a result, the client sees an Authentication Prompt presented by the Proxy SG. This is notwithstanding that the client is a domain user already authenticated to the domain. Has anyone encountered this situation before?

    Kindly
    Wasfi


  • 2.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Posted 09-21-2020 09:47 AM
    Edited by chancho 09-21-2020 09:54 AM
    Having same issue. Not seeing NTLMSSP_CHALLENGE on the pcap from Proxysg after the initial 407 Auth Required request from client.  We are using IWA DIRECT and rejoined the domain. Test configuration shows success when entering credentials of users but when real users make requests from PCs they cant authenticate. Contacted Support but still waiting for solution.


  • 3.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Posted 09-21-2020 07:00 PM
    Edited by Wasfi Bounni 09-21-2020 07:01 PM
    Hi Chancho;

    Are you guys using Azure active directory or do you have an integration with it? In our case, we are using Azure AD.


    Kindly
    Wasfi


  • 4.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Posted 09-22-2020 05:00 AM
    Hi Wasifi. Have you integrated ProxySG with Azure AD for user authentication ? What steps did you follow? Do you have any KB that you can share?

    Also is it easy to implement and working smoothly?

    I also have a similar requirement. 

    Thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 5.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Posted 22 days ago
    Hi

    I have not integrated it myself but the main thing is that you can not set the SPN for the user with Azure AD. This is for IWA direct if you are using Kerberos with the two proxies being load balanced by a device like F5.


    Kindly
    Wasfi


  • 6.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Broadcom Employee
    Posted 09-22-2020 01:25 PM
    Hello Wasfi, 

    I know this is going to sound silly but check in the Policy trace as you reproduce this issue that the request is matching the correct Authentication Policy, and then check the authentication policy Action to make sure it is referencing the correct Realm, also verify that the correct Auth Mode is selected, or set it to Auto.

    If the above is all good, then check the Eventlog of the AD server to find the Auth Requests from this user to see what is the error message if there is any.
    You may need to provide to the support team under the ticket the , Auth/debug and the lsa/debug as you reproduce the issue.

    Things to try.
    Reboot the proxy and rejoin to the domain in case something is stuck in the memory .

    Slava


  • 7.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Posted 21 days ago
    Actually and after help from Broadcom Support, I found out that NTLM type 2 message is being sent by the Proxy SG to the client. However, it is the client that is not responding with its credentials in an NTLM type3 message. This leads to a prompt being shown to the user.


  • 8.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Broadcom Employee
    Posted 15 days ago
    Hello Wasfi, 

    This usually happens if the client pc is not NTLM ready or it is not configured to automatically negotiate NTLM and automatically provide the NTLM credentials to the asking part.
    Of this is because the client PC does not trust the asking part in this case the proxy.
    If that computer is a part of the AD Domain, then i would recommend looking in to configuring the browser used to makes sure it will trust the Proxies Virual URL Redirect (If transparent proxy)  or the proxy IP (if explicit ). Also that autonegoacition is enable for NTLM , if all is configured and still the client pc wont provide the NTLM credentials back to the proxy , then the issues is still at the client PC level and would recommend contacting the browser vendors or OS vendors or check their forums for similar issues.

    An example of what i am talking about https://docs.helloid.com/hc/en-us/articles/115002887174-How-to-allow-NTLM-Windows-Authentication-in-Firefox
    Chrome and IE have their own instructions etc.

    I hope this helps.
    Slava


  • 9.  RE: I am not getting the NTLM challenge "Type 2 messages" from the Proxy SG

    Posted 09-28-2020 04:09 PM
    I was looking for the same info, tried doing the same but it didn't worked. Thanks for spreading the knowledge!