How does BCAAA validate NTLM credentials ?

Solution

Overview

When Windows validates NTLM credentials, those credentials must be sent over a Netlogon connection to a Domain Controller (DC) for validation. Windows will only establish a single connection to a single DC from each domain, and it will only send one request at a time over this connection. Therefore, if the ProxySG sends authentication requests to BCAAA faster than the DC can process them, then requests will back up and time out (000012087)

If we scan through the BCAAA debug log, we see that some calls to AcceptSecurityContext return immediately - these calls are processing the client's NTLM Type 1 message, and generating a Type 2 message. Here's an example:

2011/04/20 23:20:06.679 [5236] AcceptSecCtxt: pCtx=0 tLen=056 tId=84e4ad08 sn=b1c5 ct=0
2011/04/20 23:20:06.679 [5236] AcceptSecCtxt returns  0x90312 LastError 317
...
2011/04/20 23:20:06.679 [5236] status=SEC_I_CONTINUE_NEEDED pCtx=3f5290:1 ts=4daf6a26

AcceptSecurityContext is fast in this case because the Type 2 message can be generated without contacting a DC. Credentials are not validated until the Type 3 message is received.

Once BCAAA receives an NTLM Type 3 message, it will be sent to the DC for validation.
 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ1356
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat