6 Replies Latest reply on Oct 22, 2012 6:08 AM by luca.scamoni

    Kerberos and NTLM authentication fallback

    luca.scamoni

      I'm facing this problem with MWG 7.2.0.3 configured to authenticate clients using kerberos or NTLM as a fallback mechanism.

      webgateway.PNG

      • upon submitting the GET request the client receives a 407 response asking to authenticate using Negotiate or NTLM
      • here three things may happen:
        1. the client has or negotiates a valid kerberos ticket and submits the GET request including the krbtkt using negotiate method; OK
        2. the client doesn't know how to manage kerberos and choses to submit the GET request chosing the NTLM method; OK
        3. the client can't (or won't) negotiate a valid kerberos ticket and submits the GET request including the NTLMSSP using negotiate method; KO

      this last case leads to the browser showing the classic "unable to connect" message.

       

      A tcpdump of case 1:

      krb1.png

      frame 839:

      get.PNG

      frame 847:

      407.PNG

      frame 879 after kerberos ticket negotiation:

      get2.PNG

      leading to the final 200/OK

       

      A tcpdump of case 3:

      failed.PNG

      frames 379 and 384 are similar to 839 and 847 above. Then frame 388:

      getntlm.PNG

      sends the negotiate request using NTLMSSP and MWG answers in frame 398:

      407ntlm.PNG

      here traffic ends and IE shows the can't connect message

       

      Here the browser tells MWG that the strongest security method he knows is NTLM but MWG is unable to complete the NTLM handshake using negotiate.

      Can it be made to work as expected?