How to determine the NTLM version used for Windows Domain user authentication from debug trace file
During the course of troubleshooting Authentication Offload for Windows Domain users in an environment where ScaleArc is not joined to the Windows Active Directory (AD) domain, it may become necessary to verify the actual NTLM version being used by the client application for user authentication. The following procedure describes the steps needed to collect a debug log capture on ScaleArc along with the subsequent steps required to analyse the packet capture file generated.
- Login to the ScaleArc appliance with admin credentials
- Navigate to the Cluster Settings for the desired cluster
- Select the Debug tab
- Scroll down to the "Verbose Debug Mode" setting
- Download and delete any previously existing debug files [NOTE: New debug files will not be allowed until the previous file, if any, has been removed]
- Set the "Verbose Debug Mode" to "On" [NOTE: this will impact performance and should only be done on production systems during moderate to low traffic periods]
- Enter the admin user credentials in the pop-up dialog box
- Enter the desired duration for the verbose logging to be enabled
- You should now see an alert message that the selected cluster is running in debug mode
- Execute a manual test connection from the application in question to ScaleArc to ensure the necessary traffic is captured
- Wait for the configured verbose logging duration to expire or manually set the "Verbose Debug Mode" to "Off"
- Click on the "download" link in the "Verbose Debug Mode" setting description
- Transfer the downloaded verboseLog.tar.gz file to a CSS ScaleArc system for analysis
# scp verboseLog.tar.gz firstname.lastname@example.org:/home/idb
- Unpack the verboseLog.tar.gz file
[idb@scalearc]~# tar xvfz verboseLog.tar.gz
- Install the wireshark application on the CSS ScaleArc [NOTE: this should not be done on a customer system since the wireshark packages have not been validated to perform without interference to the ScaleArc appliance]
[idb@scalearc]~# sudo yum install wireshark
- Change directory to the location of the pcap file(s)
- Use the tshark application to search the pcap file(s) for the NTLMv2 packets
[idb@scalearc]~# tshark -r capture.pcap0 -R ntlmssp.ntlmv2_response
If there are packets output from the command, the NTLMv2 is in use. If there are no packets returned, then NTLMv1 is in use.
If you are experiencing issues with ScaleArc or with any of it's features, please contact ScaleArc Support. We are available 24x7 by phone at 855 800 7225 or +1 408 412 7315. For general support inquiries, you can also e-mail us at email@example.com.
2901 Tasman Drive Santa Clara, CA 95054 | Email: firstname.lastname@example.org