cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
holger_haas
Level 8
Report Inappropriate Content
Message 1 of 4
‎11-26-2015 02:39 AM

Basic authentication seems not to work

Hello community,

I seem to have similar problems as described in

According to a trace with tcpdump, the clients gets a 407 message and is offered three authentication methods: Kerberos, NTLM and basic. The client then does not answer and the connection runs into a timeout.

My NTLM configuration looks like this, with basic authentication enabled:

NTLM.PNG

While the authentication rules where taken from the library:

Auth.PNG

The auth debug log looks like this:

[2015-11-20 16:14:03.231 +01:00] [5622] NTLM (25821, 10.xxx.xxx.xxx) URL: https://cfdi.timbrado.com.mx

[2015-11-20 16:14:03.231 +01:00] [5622] NTLM (25821, 10.xxx.xxx.xxx) Configuration: NTLM Connection: 0x7f940ca3fe50 RR: 0x7f93fb672c70

[2015-11-20 16:14:03.231 +01:00] [5622] NTLM (25821, 10.xxx.xxx.xxx) Authentication didn't return values, failure ID: 4, authentication failed: 0

[2015-11-20 16:14:03.231 +01:00] [5622] NTLM (25821, 10.xxx.xxx.xxx) Added authentication method: Basic realm="McAfee Web Gateway"

[2015-11-20 16:14:03.231 +01:00] [5622] NTLM (25821, 10.xxx.xxx.xxx) Added authentication method: NTLM

[2015-11-20 16:14:03.232 +01:00] [5622] Kerberos (25822, 10.xxx.xxx.xxx) URL: https://cfdi.timbrado.com.mx

[2015-11-20 16:14:03.232 +01:00] [5622] Kerberos (25822, 10.xxx.xxx.xxx) Configuration: Kerberos Connection: 0x7f940ca3fe50 RR: 0x7f93fb672c70

[2015-11-20 16:14:03.232 +01:00] [5622] Kerberos (25822, 10.xxx.xxx.xxx) Added authentication method: Negotiate

[2015-11-20 16:14:03.232 +01:00] [5622] Kerberos (25822, 10.xxx.xxx.xxx) Authentication didn't return values, failure ID: 4, authentication failed: 0

[2015-11-20 16:14:03.258 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) URL: https://cfdi.timbrado.com.mx

[2015-11-20 16:14:03.258 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) Configuration: NTLM Connection: 0x7f93dbff8c60 RR: 0x7f931e468bf0

[2015-11-20 16:14:03.258 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) Incoming credentials: Negotiate TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

[2015-11-20 16:14:03.258 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) NTLM cache returned status 0 Not in cache

[2015-11-20 16:14:03.259 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) Authentication didn't return values, failure ID: 0, authentication failed: 0

[2015-11-20 16:14:03.259 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) Added authentication method: Basic realm="McAfee Web Gateway"

[2015-11-20 16:14:03.259 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) Added authentication method: Negotiate TlRMTVNTUAACAAAAAAAAAAAAAAA1gongVmmhuiEGb0AAAAAAAAAAAAAAAAAAAAAA

[2015-11-20 16:14:03.259 +01:00] [5580] NTLM (25823, 10.xxx.xxx.xxx) Stored NTLM cache keys in the connection

You can see, that basic authentication is offered, but the client does not seem to react to this.

Does anyone have an idea?

Thank you and best regards,

Holger

0 Kudos
Reply
3 Replies
holger_haas
Level 8
Report Inappropriate Content
Message 2 of 4
‎12-07-2015 07:15 AM

Re: Basic authentication seems not to work

I made a wrong interpretation of the logs here, this seems to have nothing to do with basic authentication.

The problem can be avoided by using "<USER>@domain.tld" as syntax for the username (according to the users, "<DOMAIN>\<USER>" did not work in every case).

  • In a tcpdump capture, you can see that in the first (non-working, no domain suffix) case the client responds to the first 407 request from the proxy with a NTLM header (Negotiate TlRM). The proxy then sends another 407, to which the client does not respond:    auth_pcap1.PNG
  • In the second case (working, with domain suffix), the client responds to the 407 with a Kerberos ticket and is successfully authenticated:auth_pcap2.PNG

This behaviour was different before, as we used BlueCoat Proxy SG machines as proxy, however, the authentication mechanisms were the same (Kerberos with fallback to NTLM and basic).

Can someone explain what happens here, and maybe even how to change this behaviour so the domain suffix is not needed anymore?

Looking forward to your ideas,

Holger

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4
‎12-07-2015 11:57 AM

Re: Basic authentication seems not to work

Hi Holger,

What you're seeing is the client send a Negotiate with a NTLM token (TlRM). The rules you have imported (which I helped create) will reject Kerberos with a NTLM token. The client is likely failing to get a kerberos ticket in the first scenario.

This is the same problem mentioned here:

Best Regards,

Jon

edited

0 Kudos
Reply
holger_haas
Level 8
Report Inappropriate Content
Message 4 of 4
‎12-15-2015 05:49 AM

Re: Basic authentication seems not to work

Hello Jon,

I finally found the time to replicate this issue again. I tested it with your  true ntlm fallback with kerberos v2 ruleset from the before mentionend article, but the behaviour is unfortunately similar:

  • without domain suffix, the client gets a 407 request with all auth mechanisms offered, and responds with "Negotiate TlRM". The proxy sends another 407 request, this time only with NTLM as auth mechanism, but this time the client does not respond at all.
  • with domain suffix, the client responds with "Negotiate YII..." in the first place and gets access. The same, btw., if you use <domain>\<user>  as username.

For normal applications, this is not a big issue, but I would have a better feeling with the old (bluecoat) behaviour, because I fear that we might run into problems with webapplications here...

Best Regards,

Holger

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC