Troubleshooting LDAP Broker NTLMv2 issues

In this topic, you will learn how to troubleshoot LDAP Broker issues related to NTLMv2 configuration, permissions, enrollment, and authentication.

Authentication or enrollment stopped working after enabling Support NTLMv2

Enabling Support NTLMv2 forces LDAP Broker to use NTLMv2 only and disables the use of NTLMv1. Before Support NTLMv2 was enabled, LDAP Broker used standard NTLM authentication, which supports both NTLMv1 and NTLMv2. Because of this, enrollment may have worked without the additional permissions required for NTLMv2-only operation.

To troubleshoot:

  • Verify that the environment supports NTLMv2-only authentication.

  • Verify that the service account is a member of the Domain Admins group or has the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions delegated to it. Without these permissions, NTLMv2-only authentication will fail.

Note:
These permissions are required for authentication methods that require LDAP Broker to verify user credentials against Active Directory, such as PAP, MSCHAPv2, and TTLS. They are not required for certificate-based authentication.

For more information about how LDAP Broker performs authentication, see Authentication.

LDAP Broker status is Active, but authentication or enrollment is failing when Support NTLMv2 is enabled

The Active status only confirms that LDAP Broker can retrieve its configuration from Portnox Cloud, establish relay communication, and communicate with the configured LDAP directory. The Active status does not verify that the service account has the permissions required for NTLMv2-only operation.

To troubleshoot:

  • Verify that Support NTLMv2 is required in your environment. Certificate-based authentication deployments do not require NTLMv2-only authentication.

  • Verify that the service account is a member of the Domain Admins group or has the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions delegated to it.

  • Review the LDAP Broker logs for authentication, permission, or LDAP-related errors. For more information, see Where to find the LDAP Broker logs and status.

Certificate-based authentication (EAP-TLS) is failing and NTLMv2 is suspected to be the cause

NTLMv2 is not the cause of this issue. EAP-TLS authentication does not use NTLM authentication. During EAP-TLS authentication, LDAP Broker only queries LDAP to verify that the account exists.

To troubleshoot: