Novell Home

My Favorites

Close

Please to see your favorites.

NTLM Authentication in pass-through mode failing with IE after upgrading to NAM 3.2

This document (7014114) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 SUpport Pack 2 applied
IIS 6 and 7 Web servers with Applications authenticating users with NTLM

Situation

Access Manager 3.1 setup and working well. After installing Access Manager 3.2, with the Apache basd proxy, and moving some of the Applications across, user sstarted complaining of looping when trying to authenticate to some back end web servers. Each of these web servers had NTLM authentication enabled, and the problem users were using IE (version did not matter). If the same users used Firefox or Chrome from the same browser, no issues were reported. Using an IE plugin, we also confirmed that IE would work if we changed the User-agent in the request to the AG to a Firefox or Chrome User-agent.

Looking at the browser level logs, the 3 way NTLM handshake would always complete across multiple TCP sessions with IE, but when using Chrome or Firefox the TCP handshake would remain persistent for the complete NTLM handshake. NTLM authentication requires the session to complete over the same TCP connection, and HTTP persistence needs to be enabled by default. In the case of Chrome and Firefox, each response from the AG to the browser would include the HTTP 'Connection: keep-alive' header but with IE, the AG would send a HTTP 'Connection: close' header during the handshake.

The issue could not be duplicated on another remote NAM appliance setup to accelerate the same Web server..

Resolution

Remove “BrowserMatch MSIE force-no-vary” from the httpd.conf file. This is NOT a default setting. The setting had been added by the administrator to fix an issue with the “back” button in IE for a specific app.

The application that this parameter was needed for was not running NTLM, so we simply added the above “BrowserMatch MSIE force-no-vary” statement to the Advanced Options for that back end Web server in iManager.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014114
  • Creation Date:14-NOV-13
  • Modified Date:14-NOV-13
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback