Issues with NTLM Authentication

Issues with NTLM Authentication

Are there any issues with using NTLM authentication when doing SSO to a back end application ?



Update
10-31-2014 : With webNetwork 6.2.1.182 and higher there have been many updates made to handle NTLM v2 applications that do not also maintain a session cookie.  The changes in 
webNetwork deal with matching up webNetwork user with the proper connection back to the host server.  This is what caused problems in the past when the NTLM app did not utilize a session cookie to track users.


One key point with doing SSO to an application that does NTLM Authentication through the portal.  There are 2 ways that NTLM authentication works. 


1) The first is that the back end application asks for users name and password using NTLM and records the users connection number to the IIS server.  After initial authentication the username and password is not used anymore, only the connection number is used to know who the user is. 

2) User authenticates using NTLM and the user is given a session id / cookie that is sent with every request to the IIS server.



If the application uses #1, then that typically does not work through webNetwork properly.  This is because for efficiency we “pool” connections to the
back end server and share those connections with users on the front end.  This means that more than one user has its data over the connection to the back end application and the IIS server gets confused as to who is who because it is tracking the connection number instead of a session id / cookie sent with each request.
 
The fix is to set the application on the IIS server to ALSO use basic authentication and on the webapplication object in webNetwork set the authentication to disable NTLM.
 
Depending on the application they may also support some type of form authentication


The symptoms that you have a problem are when one user is logged clicks into the portal, on the link for the application and then another user logs into the portal and clicks on the link and ends up seeing information from the first user.

Some common questions about adding basic authentication in addition to NTLM on the IIS server.

Question) I thought webNetwork supported NTLM ?
Answer) We do, but this is a special case and because we pool connection to the back end server, the IIS server gets confused as to what user is requesting information.

Question) Basic authentication is insecure.
Answer) True, but basic authentication is only being used from the stoneware server to the IIS server.  The user NEVER sends their username and password, the Stoneware webNetwork relay sees that the IIS server requested BASIC authentication and intercepts that requests and sends it on behalf of the user.  Thus if the Stoneware server and the IIS server are in the same data center, the password never leaves the data center.

Question) We want users on the inside of the LAN that are not using the portal to still use NTLM for authentication.
Answer) Adding basic authentication along with NTLM (windows authentication) on the IIS server will present the user with the option of NTLM or basic.  The browser will choose NTLM when they are both offered.


    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • LanSchool Documentation Guides

        LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...

      • Lenovo Unified Workspace 7.0.1.41 Released

        Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...

      • Related Articles

      • Change NTLM Authentication type

        How can I change the NTLM authentication type on my windows box ? Update 10-31-2014 : webNetwork 6.2.1.182 and higher works much better with NTLM V2 and the change below should not be needed anymore.  It is still provided here just in case a customer ...

      • Desktop Authentication known issues and recommendations

        Problem:  What are the known issues of using Desktop Authentication feature to automatically log users into the portal? Cause:  Desktop Authentication feature uses Windows Integrated Authentication (NTLMv1).  Most browsers do not support auto-login ...

      • Troubleshooting issues with authentication

        Issue: A user is receiving a Failed Login Attempt error every-time they try to login to Unified Workspace.  How can we determine the root cause of the failed login? Solution: Enable the Authentication debug logging: Browse to the 8090 Management ...

      • webDav & Additional Authentication Methods.

        When deciding to use additional methods for authentication like Radius or additional attributes on the login page, keep in mind that features like webDav / webDrive do not support these optional attributes and can only authenticate using a ...

      • Time Sync causing Cluster Issues

        Issue: The customer is having issues with the cluster going out of sync causing various issues. Examples: webRDP giving and Unknown Error Users unable to authenticate UW just running slowly in general Customer will rebuild the cluster, only to have ...