NTML v2 does not work behind IIS Reverse Proxy

May 26, 2011 at 9:09 AM


we have an authentication problem with NTLMv2 in a IBM Websphere and Microsoft IIS Environment. We are using Windows 7 as client machines.

The IIS is configured to forward all requests with an ISAPI Plugin to a Websphere Server, which runs our application with the implemented Waffle Filter(set to use NTLM only).
When we connect with IE8 to the Websphere Server directly, the SSO with NTLM works fine.
When we connect with IE8 over the IIS, the Websphere server sends the challenge to the client but the answer does not come back to the server. The user is then prompted for Username/password, which also does not get send to the Websphere Server.
Interesting thing is that if we use Firefox, we can login after prompted for username/pasword and the chrome browser even does SSO without prompting for username/password.

The URL we use is part of the intranet zone and Integrated Authentication is enabled, too.

Anyone an idea why the IE8 SSO does not work?
Interesting phenomen is that when you use Fiddler to analyse, the post of the username/password prompt with IE8 works even over the IIS.

May 31, 2011 at 8:00 PM

Once you get a prompt and a post of a username/password, you're doing a completely different type of negotiation. There're 100 things that can go wrong with involving the proxy in authentication, there're tools to troubleshoot this.

Troubleshooting Kerberos

Troubleshooting NTLM

I suggest getting rid of the IIS proxy altogether and using Waffle on your Websphere server.

Jun 1, 2011 at 7:24 AM

Thanks for the Troubleshooting links.

Unfortunately our customer is using the IIS for Loadbalancing his Websphere Servers and getting rid of the proxy is not a solution.

Jun 7, 2011 at 11:16 PM

IIS or ISA? I would do some serious NTLM/Kerberos debugging, I am sure there's a good reason why the proxy is killing either negotiation.