cancel
Showing results for 
Search instead for 
Did you mean: 
mmalagni
Level 9

Authentication failure only on some website - Authentication didn't return values, failure ID: 1, authentication failed: 1

All,

I'm having some strange issue only on few website where I can see correctly authentication on google.com and other website, but on some "heavy" website I can see the following error in the authentication debug log

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) URL: http://www.xxxxxxxxxxxxxxx

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Configuration: Active Directory Connection: 0x7fb34c1575c0 RR: 0x546bdb0

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Incoming credentials: NTLM xyxyxyxyxyxyxyxyxyxyxyxyyxyxyxyxy/

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Loaded NTLM cache keys from the connection

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) NTLM cache returned status 3 Authenticated

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Authenticated: 1

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Method: NTLM

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Realm: xxxx

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) User: xxxx

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Groups: xxxx\Ad, Ad

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Added authentication method: Basic realm="Proxy xxxx"

[2014-05-21 12:05:22.802 +02:00] [8693] NTLM (31, 26.2.100.81) Added authentication method: NTLM

[2014-05-21 12:05:53.048 +02:00] [8707] NTLM (32, 26.2.100.81) URL: http://www.xxxxxxxxxxxxx

[2014-05-21 12:05:53.048 +02:00] [8707] NTLM (32, 26.2.100.81) Configuration: Active Directory Connection: 0x59fc720 RR: 0x8dd5180

[2014-05-21 12:05:53.049 +02:00] [8707] NTLM (32, 26.2.100.81) Incoming credentials: NTLM xyxyxyxyxyxyxyxyxyxyxyxyyxyxyxyxy/xyyxyxyxyxyxyxyxyxyx/xyxyxyxyxyxy

[2014-05-21 12:05:53.049 +02:00] [8707] NTLM (32, 26.2.100.81) NTLM cache returned status 0 Not in cache

[2014-05-21 12:05:53.049 +02:00] [8707] NTLM (32, 26.2.100.81) Authentication didn't return values, failure ID: 1, authentication failed: 1

[2014-05-21 12:05:53.049 +02:00] [8707] NTLM (32, 26.2.100.81) Added authentication method: Basic realm="Proxy xxxx"

[2014-05-21 12:05:53.049 +02:00] [8707] NTLM (32, 26.2.100.81) Added authentication method: NTLM

What does it mean Authentication didn't return values, failure ID: 1, authentication failed: 1?

Thanks

M.

0 Kudos
2 Replies
McAfee Employee

Re: Authentication failure only on some website - Authentication didn't return values, failure ID: 1, authentication failed: 1

Hi M,

Failure ID of 1 means that the NTLM AUTHENTICATE message was received out of order.

In NTLM, authentication will occur in three steps, the last two must occur in the same connection.

So typically a machine will authenticate like so in the same TCP connection:

TCP Connection 1:

Client: GET

MWG: 407 / Proxy-Authenticate: NTLM

Client: GET / Proxy-Authenticate: NTLM NEGOTIATE

MWG: 407 / Proxy-Authenticate: NTLM CHALLENGE

Client: GET / Proxy-Authenticate: NTLM AUTHENTICATE

MWG: 200 OK

In your example, the exchange might be something like this:

TCP Connection 1:

Client: GET

MWG: 407 / Proxy-Authenticate: NTLM

Client: GET / Proxy-Authenticate: NTLM NEGOTIATE

MWG: 407 / Proxy-Authenticate: NTLM CHALLENGE

TCP Connection 2:

Client: GET / Proxy-Authenticate: NTLM AUTHENTICATE

MWG: 407 (failure ID 1)

I have example captures in this article:

Different Options explained for different Deployment Methods - https://community.mcafee.com/docs/DOC-4384

Example NTLM tcpdump: https://community.mcafee.com/servlet/JiveServlet/download/4384-3-61924/1.5.0_directproxy_ntlm.pcap.z...

Best,

Jon

0 Kudos
McAfee Employee

Re: Authentication failure only on some website - Authentication didn't return values, failure ID: 1, authentication failed: 1

Just a comment on this one, the three steps are NEGOTIATE, CHALLENGE, AUTHENTICATE. The last two must happen in the same connection because the challenge is used to verify the authenticate step.

Best,

Jon

0 Kudos