I came across a issue where we were " Getting page cannot be displayed while accessing published website through TMG 2010 with NTLM authentication configured on Listener"
On TMG Firewall we have NTLM/ BASIC Selected on listener and Delegation was set as KCD (Kerberos Constraint Delegation).
So collected TMG Data Packager in repro mode and also Fiddler Trace on External Client .
TMG Data Packager can be downloaded from here :
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=17730
How to use it :
http://blogs.technet.com/b/yuridiogenes/archive/2009/03/13/using-isabpa-for-proactively-and-reactively-work-with-isa-server-part-1-of-2.aspx
http://blogs.technet.com/b/yuridiogenes/archive/2009/05/07/using-isabpa-for-proactive-and-reactive-work-with-isa-server-part-2-of-2.aspx
Here is what we saw in Data:
In TMG Logs / Tracing we see :
ISA cannot authenticate client b/c client's request doesn't contain authorization headers.
"The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. " for error code WINERROR= 2FB1 (12209)
So TMG was looking for Auth headers and they were not present and is denying the traffic.
Then we analyzed Fiddler Trace and this is what we saw :
GET https://www.nwtraders.com/ HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8; Tablet PC 2.0; CIBA; MS-RTC EA 2)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: s_vi=[CS]v1|25C8953C851D2842-600001276000354C[CE]
Host: https://www.nwtraders.com
HTTP/1.1 401 Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. )
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="www.nwtraders.com"
Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 2073
Proxy-Support: Session-Based-Authentication
We see WWW-Authenticate header as Negotiate and then Kerberos and by default IE 7 above will use Kerberos as initial auth method and as Client is on External network and cannot get the Kerb Ticket and that is the reason for its failure.
So to fix this issue we need to run script from KB http://support.microsoft.com/kb/927265 on TMG
What this script does is that it makes NTLM as default behavior. Here is what it says:
1. ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
2. ' This script sets authentication schemes that ISA will return for Integrated authentication.
3. ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
4.
5. const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_default = 0 ' Use Negotiate and Kerberos, too.
6. const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_Always = 1
7.
8. Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
9. Const SE_VPS_NAME = "UseOnlyNTLMForWindowsAuth"
10. Const SE_VPS_VALUE = 1
Author:
Junaid Ahmad Jan
Security Support Escalation Engineer
MSD Security Team