ScaleArc only supports NTLM version 2. How do I tell what version of NTLM my windows clients and SQL Server are using?
What type of NTLM authentication is set on Client/Server, you can simply check by running the following command :
Local Policies > Security Options > Network Security: LAN Manager authentication level.
NTLM Version 1
NTLM Version 2
|Excerpt from TCP Dump for NLMP Frame "NLMP:NTLM AUTHENTICATE MESSAGE...|
-> LmChallengeResponse: Length: 24, Offset: 112
Length: 24 (0x18)
MaximumLength: 24 (0x18)
BufferOffset: 112 (0x70)
-> NtChallengeResponse: Length: 24, Offset: 136
Length: 24 (0x18)
-> NTLMV2ChallengeResponse: 2D6515D426741B174F144F55B04B2FD0
You may also see a "TDSServerResponseData" -> "TDSERROR" -> "WorMsgText"
"Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."
That message is generated by the ScaleArc server because ScaleArc does not support the 19-year-old NTLM or LM protocol for data processing.
Length of 24 is NTML (verison 1) whereas longer than 24 is NTLMv2
FreeTDS support and configuration
The older version of the freeTDS (0.8) does not support the NTLMv2 and it require the configuration in the newer release ( 0.9.)
Here is the sample of freetds.conf
[DB SERVER NAME]
host = 127.0.0.1
port = 8001
use ntlmv2 = yes
If the OS is set to NTLMv2 (5) but there is no NTLMv2 support turn on on the FreeTDS, we would get the error message like below :
Msg 18452 (severity 14, state 1) from DEPOTSQL Line 1: "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
See also: http://www.freetds.org/userguide/freetdsconf.htm
How It Works (in progress)
- Client Connects to ScaleArc (TCP)
- ScaleArc ACK (TCP)
- Client begins TDS negotiation Prelogin (v 7.3)
- ScaleArc response (v 7.3)
- Client Login7 Negotiation (v 7.3)
|Network connection established over TCP/IP||SYN -->||Listener acknowledge and respond|
|<-- SYN, ACK|
|TCP Handshake done||ACK -->|
|TDS SQL Handshake||TDS:Prelogin -->|
|<-- TDS: Response||TDS:Response|
|TDS: Login(7) Negotiation||Login7 -->|
Useful links regarding NTLM and Security
NT Lan Manger (wikipedia) | http://en.wikipedia.org/wiki/NT_LAN_Manager
Purging Old NT Security Protocols | http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx
MS-NLMP Protocol | http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-NLMP%5D.pdf
The Most Misunderstood Windows Security ... | https://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx
Windows Server 2012R2 NTLM Overview | https://technet.microsoft.com/en-us/library/hh831571.aspx
secpol to force NTLMv2 | https://kb.iu.edu/d/atcb
NTLM's Time has Passed | http://blogs.technet.com/b/authentication/archive/2006/04/07/ntlm-s-time-has-passed.aspx
NTLM Nogitiation Is a Lie | http://blog.uvm.edu/jgm/2011/02/15/ntlmv2-troubleshooting-notes-ntlm-negotiation-is-a-lie/