NTLM through NSX ALB

May 09, 2024

During our migration process from an F5 Big-IP to NSX ALB, we ran into a particularly stubborn issue with NTLM traffic.

Even though we followed the documentation to a T, we could not get our our apps that require NTLM working properly. The only settings that worked for us included enabling multiplexing and disabling NTLM detection, but this ended up breaking Kerberos authentication for the app.

After diving in deeper and grabbing some packet captures on both ALB and F5, we noticed that they seemed to handle traffic differently. On ALB, every new HTTP request would spawn a new TCP connection for some reason. As NTLM authenticates a TCP connection, this could never really work for us. After some back and forth with support, they got back to us with a solution.

The loadbalancer added a Connection: Close header to every response, which was caused by a very specific setting in the application profile: disable_keepalive_posts_msie6=true. The documentation for this setting is as follows:

Disable keep-alive client side connections for older browsers based off MS Internet Explorer 6.0 (MSIE6). For some applications, this might break NTLM authentication for older clients based off MSIE6.

The setting itself is not accessible through to UI, it needs to be set either via the the API or the CLI.

Via API you could use a call similar to this one (where uuid is the uuid of the specific application profile you’re updating):

PATCH /applicationprofile/{uuid}

{
  "http_profile" : {
    "disable_keepalive_posts_msie6" : false
  }
}

Or by going via the CLI:

[admin:lab-avictr-my-domain]: > configure applicationprofile AP_NTLM
[admin:lab-avictr-my-domain]: applicationprofile> http_profile
[admin:lab-avictr-my-domain]: applicationprofile:http_profile> no disable_keepalive_posts_msie6
[admin:lab-avictr-my-domain]: applicationprofile:http_profile> save
[admin:lab-avictr-my-domain]: applicationprofile>save

You can verify your settings by running the show command (I’ve removed the irrelevant settings from the output)

[admin:lab-avictr-my-domain]: > show applicationprofile AP_NTLM
+------------------------------------------------------+---------------------------------------------------------+
| Field                                                | Value                                                   |
+------------------------------------------------------+---------------------------------------------------------+
| uuid                                                 | uuid                                                    |
| name                                                 | AP_NTLM                                                 |
| type                                                 | APPLICATION_PROFILE_TYPE_HTTP                           |
| http_profile                                         |                                                         |
|   disable_keepalive_posts_msie6                      | False                                                   |
+------------------------------------------------------+---------------------------------------------------------+

After updating this setting everything started working as intended, and we are now one step closer to completing our migration.