topic Re: NTLM authentication problems in General Topics

NTLM authentication problems

niitnn — Mon, 17 Jul 2017 11:24:02 GMT

Hello,

I`m trying to configure NTLM Authentification over Captive Portal for users in my network. I have PA-500. I set the next configuration parameters:

1. LDAP Server Profile

2. Authentication Profile

3. Authentication Policy (Authentication enforcement is "default-browser-challenge")

4. User-ID checkbox on the trust zone

5. Generate certificate and made SSL/TLS service Profile

6. Enable Captive Portal and NTLM Authentication with redirecting to IP-address of the trust zone Interface

7. Service Account included to Event Log Reader and Distributed COM groups and for this Account were delegated rights to join cmputers to domain.

8. In the ou=Computers was crteated Computer Account for my PA. Then Service account (by logs on DC) made some changes with that Computer Account and then deleted that Computer Account automatically.

And now users enter site names to IE address string and redirect to web-form authentication. But even if user enters the wright password, web-form writes "Wrong username/password" message. In system logs there are messages "SSO NTLM Authentication failed". And no entries in User - IP table.

Installed PAN OS - 8.0.3-h4.

I need agentless User-ID configuration with NTLM Authentification. What I'm doing wrong?

Re: NTLM authentication problems

BPry — Mon, 17 Jul 2017 12:57:11 GMT

@niitnn,

Is the failure strickly with IE? They made some changes that break this on IE11 unless you revert to how things were configured previously. The article below specifies what changes would have to be made.

https://live.paloaltonetworks.com/t5/Management-Articles/Captive-Portal-NTLM-Authentication-Fails-With-IE11/ta-p/56024

Re: NTLM authentication problems

niitnn — Mon, 17 Jul 2017 13:16:20 GMT

IE is the base browser in our organization. Therefor I'm trying to connect to Internet exactly by IE. I saw thia article about IE11 a added Captive Portal redirect host to Intranet zone. But no effect...

Re: NTLM authentication problems

BPry — Mon, 17 Jul 2017 14:06:52 GMT

@niitnn,

Could you share a screenshot of your NTLM configuration. Also can you verify that you did not include the domain name within the Admin User section of the configuration.

Re: NTLM authentication problems

niitnn — Mon, 17 Jul 2017 14:14:51 GMT

You can find the screenshot:

Re: NTLM authentication problems

BPry — Mon, 17 Jul 2017 18:34:53 GMT

I'm starting to wonder if the issue wasn't with the firewall removing itself from the computer OU that is causing you issues. You might want to disable NTLM comitt and then enable it again and see what happens.

When you run 'show user server-monitor state all' on the firewall do you see any NTLM stats there?

Re: NTLM authentication problems

niitnn — Tue, 18 Jul 2017 07:30:23 GMT

It's wonder for me too. Disable NTLM - Commit - Enable NTLM - Commit takes no effect.

Logs from DC:

Fnd the output from 'show user server-monitor state all':

UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled

May be I missed to set any parameter? Or this is a bug of PAN OS 8.0.3 ?

Re: NTLM authentication problems

BPry — Tue, 18 Jul 2017 12:40:31 GMT

@niitnn,

It could very well be a bug, it looks like you have everything configured correctly and your service account appears to be functioning perfectly fine. I would open a case with TAC if able so you can get their input.

Re: NTLM authentication problems

niitnn — Tue, 18 Jul 2017 12:51:45 GMT

Thank you. But now the best way is downgrade to 7.0.17?