NetScaler sending NTLM V2 Response in Type3 Message even though it was configured to send NTLM V1

NetScaler sending NTLM V2 Response in Type3 Message even though it was configured to send NTLM V1

book

Article ID: CTX221081

calendar_today

Updated On:

Description

SSO Failure Between NetScaler and the Back end Server 

Resolution

Make sure the back end server does not set Negotiate Target Info  in the Negotiate Flag

When it is Set  see the Below description .

User-added image

Problem Cause

  • To Disable NTLM V2 we can tweak the value using the command nsapimgr_wr.sh -ys sso_enable_ntlmv2=0 from shell . This will Disable NTLM V2 on NetScaler and only use NTLM V1 .
  •     There is no way to select NTLM version credentials on the NetScaler config .
  • NTLM tweak to persist reboot:
    echo "/netscaler/nsapimgr_wr.sh -ys sso_enable_ntlmv2=0" >> /nsconfig/nsafter.sh
  • The nsapimgr command is forcing the netscaler to send a NTLMv1 Type 1 Message, but due to the presence of Negotiate Target Info flag in the Type 2 Message from the Server we are sending NTLMV2 Response which is as per the NTLM spec. Below is the explanation for same

    0x00800000    Negotiate Target Info           Sent by the server in the Type 2 message to indicate that it is including a Target Information block in the message. The Target Information block is used in the calculation of the NTLMv2 response.       

     

    Detailed Information on NTLM @  http://davenport.sourceforge.net/ntlm.html

    We will need  to make sure the server is not sending this flag if it supports only NTLMv1.

Server Response with Negotiate Target Info Flag bit Set

User-added image

Netscaler Responding with NTLM V2 Since the Server is Initiating on V2

User-added image


 

Additional Information

http://davenport.sourceforge.net/ntlm.html
Powered by Wolken Software