NTLM Authentication in pass-through mode failing with IE after upgrading to NAM 3.2
This document (7014114) is provided subject to the disclaimer at the end of this document.
NetIQ Access Manager 3.2 SUpport Pack 2 applied
IIS 6 and 7 Web servers with Applications authenticating users with NTLM
Looking at the browser level logs, the 3 way NTLM handshake would always complete across multiple TCP sessions with IE, but when using Chrome or Firefox the TCP handshake would remain persistent for the complete NTLM handshake. NTLM authentication requires the session to complete over the same TCP connection, and HTTP persistence needs to be enabled by default. In the case of Chrome and Firefox, each response from the AG to the browser would include the HTTP 'Connection: keep-alive' header but with IE, the AG would send a HTTP 'Connection: close' header during the handshake.
The issue could not be duplicated on another remote NAM appliance setup to accelerate the same Web server..
The application that this parameter was needed for was not running NTLM, so we simply added the above “BrowserMatch MSIE force-no-vary” statement to the Advanced Options for that back end Web server in iManager.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7014114
- Creation Date:14-NOV-13
- Modified Date:14-NOV-13
- NetIQAccess Manager (NAM)
Did this document solve your problem? Provide Feedback