NTLM Authentication in pass-through mode failing with IE after upgrading to NAM 3.2

  • 7014114
  • 14-Nov-2013
  • 14-Nov-2013


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 SUpport Pack 2 applied
IIS 6 and 7 Web servers with Applications authenticating users with NTLM


Access Manager 3.1 setup and working well. After installing Access Manager 3.2, with the Apache basd proxy, and moving some of the Applications across, user sstarted complaining of looping when trying to authenticate to some back end web servers. Each of these web servers had NTLM authentication enabled, and the problem users were using IE (version did not matter). If the same users used Firefox or Chrome from the same browser, no issues were reported. Using an IE plugin, we also confirmed that IE would work if we changed the User-agent in the request to the AG to a Firefox or Chrome User-agent.

Looking at the browser level logs, the 3 way NTLM handshake would always complete across multiple TCP sessions with IE, but when using Chrome or Firefox the TCP handshake would remain persistent for the complete NTLM handshake. NTLM authentication requires the session to complete over the same TCP connection, and HTTP persistence needs to be enabled by default. In the case of Chrome and Firefox, each response from the AG to the browser would include the HTTP 'Connection: keep-alive' header but with IE, the AG would send a HTTP 'Connection: close' header during the handshake.

The issue could not be duplicated on another remote NAM appliance setup to accelerate the same Web server..


Remove “BrowserMatch MSIE force-no-vary” from the httpd.conf file. This is NOT a default setting. The setting had been added by the administrator to fix an issue with the “back” button in IE for a specific app.

The application that this parameter was needed for was not running NTLM, so we simply added the above “BrowserMatch MSIE force-no-vary” statement to the Advanced Options for that back end Web server in iManager.