Hi everyone
Across a few different installations, all involving Windows 2012 AD (UCP Pro, converged solution), I'm desperately trying to get the vCO (integrated in the vCAC 6.x VA) to talk to any web service, which uses NTLM authentication, such as REST, the vCAC Plugin (which connects to the web service of the IaaS server), etc.
When I examine the logs of the affected IIS (both 2008 R2 and 2012-based), then I always see that when vCO connects first, without credentials, IIS sends a 401 unauthorized reply (as expected), but the Orchestrator does not come again using NTLM authentication, it simply stops there.
I've been trying this
- reducing NTLM requirements from "v2 only" to "NTLM v2, NTLM v1 and LM"
- disabling loopback host verification using registry hacks on the IIS servers
- many different web services on different versions of IIS
- basic authentication (works fine)
- manual connection using a browser and NTLM authentication (works fine)
All did not help solving the issue.
While I could not really figure out the root case I believe it boils down to either
- some changes in AD 2012, which I couldn't figure out yet; all online documentation hints that nothing was changed in terms of NTLM compatibility between ADS 2008 R2 and 2012 (non-R2)
- vCO on the vCAC (Linux) appliance would not handle NTLM authentication correctly
Things I did not try
- Using an external vCO appliance or instance (going to try next)
Any hints appreciated.
- Jonas