I came across a issue where we were  " Getting page cannot be displayed while accessing published website through TMG 2010 with NTLM authentication configured on Listener"

On TMG Firewall we have NTLM/ BASIC Selected on listener and Delegation was set as KCD (Kerberos Constraint Delegation).

So collected TMG Data Packager in repro mode and also Fiddler Trace on External Client .

TMG Data Packager can be downloaded from here :

http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=17730 

How to use it :

http://blogs.technet.com/b/yuridiogenes/archive/2009/03/13/using-isabpa-for-proactively-and-reactively-work-with-isa-server-part-1-of-2.aspx
 
http://blogs.technet.com/b/yuridiogenes/archive/2009/05/07/using-isabpa-for-proactive-and-reactive-work-with-isa-server-part-2-of-2.aspx 

Here is what we saw in Data:

In TMG Logs / Tracing  we see :

ISA cannot authenticate client b/c client's request doesn't contain authorization headers.

"The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. " for error code WINERROR=    2FB1 (12209)


So TMG was looking for Auth headers and they were not present and is denying the traffic.

Then we analyzed Fiddler Trace and this is what we saw :

GET https://www.nwtraders.com/ HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8; Tablet PC 2.0; CIBA; MS-RTC EA 2)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Cookie: s_vi=[CS]v1|25C8953C851D2842-600001276000354C[CE]

Host: https://www.nwtraders.com

 

HTTP/1.1 401 Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  )

WWW-Authenticate: Negotiate

WWW-Authenticate: Kerberos

WWW-Authenticate: NTLM

WWW-Authenticate: Basic realm="www.nwtraders.com"

Connection: Keep-Alive

Pragma: no-cache

Cache-Control: no-cache

Content-Type: text/html

Content-Length: 2073

Proxy-Support: Session-Based-Authentication 

We see WWW-Authenticate header as Negotiate and then Kerberos and by default IE 7 above will use Kerberos as initial auth method and as Client is on External network and cannot get the Kerb Ticket and that is the reason for its failure. 

So to fix this issue we need to run script from KB  http://support.microsoft.com/kb/927265  on TMG

What this script does is that it makes NTLM as default behavior. Here is what it says: 

1.  ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

2.  ' This script sets authentication schemes that ISA will return for Integrated authentication.

3.  ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

4. 

5.  const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_default = 0 ' Use Negotiate and Kerberos, too.

6.  const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_Always  = 1

7. 

8.  Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"

9.  Const SE_VPS_NAME = "UseOnlyNTLMForWindowsAuth"

10. Const SE_VPS_VALUE = 1



Author:

Junaid Ahmad Jan

Security Support Escalation Engineer

MSD Security Team