How does BCAAA validate NTLM credentials ?


<< Back to Knowledge Search

Solution

Overview

When Windows validates NTLM credentials, those credentials must be sent over a Netlogon connection to a Domain Controller (DC) for validation. Windows will only establish a single connection to a single DC from each domain, and it will only send one request at a time over this connection. Therefore, if the ProxySG sends authentication requests to BCAAA faster than the DC can process them, then requests will back up and time out (000012087)

If we scan through the BCAAA debug log, we see that some calls to AcceptSecurityContext return immediately - these calls are processing the client's NTLM Type 1 message, and generating a Type 2 message. Here's an example:

2011/04/20 23:20:06.679 [5236] AcceptSecCtxt: pCtx=0 tLen=056 tId=84e4ad08 sn=b1c5 ct=0
2011/04/20 23:20:06.679 [5236] AcceptSecCtxt returns  0x90312 LastError 317
...
2011/04/20 23:20:06.679 [5236] status=SEC_I_CONTINUE_NEEDED pCtx=3f5290:1 ts=4daf6a26

AcceptSecurityContext is fast in this case because the Type 2 message can be generated without contacting a DC. Credentials are not validated until the Type 3 message is received.

Once BCAAA receives an NTLM Type 3 message, it will be sent to the DC for validation.
 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ1356
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Software      SGOS 4, SGOS 5, SGOS 6
Topic      Authentication, BCAAA
Article Number      000010036
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat