Sporadic NTLM failures then authentication popups

thomascollins · ‎05-25-2012

Lately we've been experiencing some authentication problems.

We're running v7.1.3-021 for Web. Browsers are IE 8 and 9, and FireFox. Desktops XP and Win7. We have one authentication realm setup, using NTLM. We have three domain controllers listed, and the "Test Current Settings" returns no errors.

Things have been working fine for years. The browsers seamless pass auth credentials, never prompting the user. However this past week, some users are randomly getting authentication popups from their browser. It's not particular times or websites. Once they enter their credentials they can resume browsing -- but may be reprompted later in the day.

There have been no recent AD or WSA changes, although this past weekend we did have a power hiccup that caused everything to reboot.

The WSA authentication logs show lots of:

Wed May 23 09:11:25 2012 Info: PROX_AUTH : - : Login for user []\[]@[PCNAME] failed due to [No such user]

And the occasional:

Tue May 22 13:32:42 2012 Info: PROX_AUTH : - : NTLM CRAP authentication for user [DOMAIN1]\[USERNAME] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 12)

Tue May 22 13:32:42 2012 Info: PROX_AUTH : - : Login for user [DOMAIN1]\[USERNAME]@[PCNAME] failed due to [No logon servers]

Tue May 22 13:32:42 2012 Critical: PROX_AUTH : - : NTLMSSP BH: NT_STATUS_NO_LOGON_SERVERS

(real names changed)

It seems like it's pointing to an AD problem, but we can't find anything wrong with the controllers. No EventViewer errors, and no other AD-related problems.

So far we've re-joined the WSA to the domain. No change.

Any other ideas of areas to check?

Thanks,

Tom

Chris Illsley · ‎05-25-2012

Hi Tom,

You haven't ended up with the dodgy update from the weekend?

https://supportforums.cisco.com/thread/2150671?tstart=0

If you check in the Security -> Anti Malware section you should see an error telling you if you have.

Thanks

Chris

thomascollins · ‎05-25-2012

Hey Chris, thanks for the reply.

But nope-- we're McAfee and Webroot, no Sophos. And the problem started Monday.

sfiebran · ‎06-01-2012

Hi Tom,

are you using by chance 2008 AD controllers (with latest patches) ?

With a patchlevel some somewhere early 2012 the netbios authentication on AD has been "discontinued" by Microsoft, but the WSA (pre 7.5) may still try use it. For this short moment the auth fails and will reconnect and probably then use 445 and things work again for awhile. If you make a packet capture on port 139 towards AD in wireshark you will find NBSS negotiations failing:

Message Type: Negative session response

Error code: Called name not presen

This would confirm to run into this issue. Best approach is to make sure that WSA can't communicate with port 139 to active directoy DC's.

thomascollins · ‎06-04-2012

Interesting.

We do use 2008 AD, but no recent patches (May 2011 were the latest patches applied).

But it definitely sounds like this could be a similar problem. I see the WSA trying 139, then quickly switching to 445. I haven't been able to get a capture yet.

It looks like v7.5 isn't out yet, do you know an anticipated release date? Or should I try blocking 139.

sfiebran · ‎06-04-2012

7.5 should be release soon, however, if you're confident to run into this issue, then just open a customer support ticket, usually the will kindly provision you 7.5 as it is already FCS.

alexdelangel · ‎08-09-2014

Hello friends,

Please, allow me to resurect this old post. I am facing the same issue, could you please tell me what the solution was?

Regards!