XModem
Enthusiast
Enthusiast

NTLM authentication in vCAC-integrated vCO does not work

Hi everyone

Across a few different installations, all involving Windows 2012 AD (UCP Pro, converged solution), I'm desperately trying to get the vCO (integrated in the vCAC 6.x VA) to talk to any web service, which uses NTLM authentication, such as REST, the vCAC Plugin (which connects to the web service of the IaaS server), etc.

When I examine the logs of the affected IIS (both 2008 R2 and 2012-based), then I always see that when vCO connects first, without credentials, IIS sends a 401 unauthorized reply (as expected), but the Orchestrator does not come again using NTLM authentication, it simply stops there.

I've been trying this

- reducing NTLM requirements from "v2 only" to "NTLM v2, NTLM v1 and LM"

- disabling loopback host verification using registry hacks on the IIS servers

- many different web services on different versions of IIS

- basic authentication (works fine)

- manual connection using a browser and NTLM authentication (works fine)

All did not help solving the issue.

While I could not really figure out the root case I believe it boils down to either

- some changes in AD 2012, which I couldn't figure out yet; all online documentation hints that nothing was changed in terms of NTLM compatibility between ADS 2008 R2 and 2012 (non-R2)

- vCO on the vCAC (Linux) appliance would not handle NTLM authentication correctly

Things I did not try

- Using an external vCO appliance or instance (going to try next)

Any hints appreciated.

- Jonas

0 Kudos
2 Replies
jbweber2
Enthusiast
Enthusiast

When you get the 401 response are you seeing a correct WWW-Authorization header in the response? That's usually my cue that the configuration for authentication is mucked up in IIS.


When I access the IIS on my 2012 test environment with the IIS settings following vCAC pre-req I see the following, with the bolded lines being most important for auth to work correctly:


HTTP/1.1 401 Unauthorized

Content-Type: text/html

Server: Microsoft-IIS/8.5

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

Date: Wed, 05 Mar 2014 23:42:54 GMT

Content-Length: 1293


Normally on the initial request if those are missing I doing a hard reset of the IIS configuration and that fixes things up for me.

Another useful tool I've found for debugging is to run fiddler on a machine to do debugging of the request / response out of vCO into my server.

I ran these tests from vCO 5.5.1 appliance using the bundled http-rest plugin. I don't have a full vCAC 6 setup in my home lab to try to test using the actual vCAC plugin.

0 Kudos
XModem
Enthusiast
Enthusiast

Thanks for your answer; I believe it's not related to actual IIS configuration, since I can get to NTLM (Windows) Authentication when connecting with Internet Explorer, but I might want to sniff the traffic anyway, in order to see closer as to what's going on in detail (if I got some time to spare).

If anyone has an idea as to why that could happen, let me know.

0 Kudos