The NTLM authentication token is not supported

3
votes

I am using integrated security with TeraData and ASP.NET MVC3. I am getting the exception below when trying to open a connection. Is there something I need to do to convert the token into something that will be acceptable?

Server Error in '/' Application. The NTLM authentication token is not supported. ErrorCode: -452984668 Severity: Error Facility: DotNet Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Teradata.Net.Security.TdgssException: The NTLM authentication token is not supported. ErrorCode: -452984668 Severity: Error Facility: DotNet

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[TdgssException: The NTLM authentication token is not supported. ErrorCode: -452984668 Severity: Error Facility: DotNet] Teradata.Net.Security.Mechanisms.SPNEGOSession.AuthenticateAsClientImplementation(TdgssAuthenticationTokenExchange tokenAuthenticationExchange, String credential, String targetName) +4506 Teradata.Net.Security.Mechanisms.Session.AuthenticateAsClient(TdgssAuthenticationTokenExchange tokenAuthenticationExchange, String credential, String targetName) +159 Teradata.Client.Provider.WpSecurityManager.Action() +134

[TdException (0x80004005): [TeraGSS Security Library] [115022] Exception occurred in TERAGSS layer. See inner exception for details.] Teradata.Client.Provider.WpSecurityManager.Action() +268 Teradata.Client.Provider.WpSession.Open(Int32 connectionTimeout, String password) +2258 Teradata.Client.Provider.Connection.Open(UtlConnectionString connectionString, UInt32 timeout) +1028 Teradata.Client.Provider.ConnectionPool.CreateConnection(UInt32 timeout) +53 Teradata.Client.Provider.ConnectionPool.GetConnectionFromPool(Object owningObject) +820 Teradata.Client.Provider.ConnectionFactory.GetConnection(Object owningObject, UtlConnectionString connStr) +842 Teradata.Client.Provider.TdConnection.Open() +172 ProductDevelopmentRequestSystem.Data.AMAPS.MaterialRepository.get_Connection() +389 ProductDevelopmentRequestSystem.Data.AMAPS.MaterialRepository.GetSuffixPlantMapping() +107 ProductDevelopmentRequestSystem.Reports.Supply.SupplyDataLogic.GetAmapsPlantMappings() +114 ProductDevelopmentRequestSystem.Reports.Supply.SupplyDataLogic.GetData(SupplyReportData data) +120 ProductDevelopmentRequestSystem.Reports.Supply.SupplyReportLogic.Generate(SupplyReportData data) +115 ProductDevelopmentRequestSystem.Controllers.SupplyAndDemandController.Index(SupplyAndDemandViewModel model) +1836 lambda_method(Closure , ControllerBase , Object[] ) +127 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +274 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +39 System.Web.Mvc.<>c_DisplayClass15.b_12() +120 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +637 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +307 System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +720 System.Web.Mvc.Controller.ExecuteCore() +162 System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +305 System.Web.Mvc.<>c_DisplayClassb.b_5() +62 System.Web.Mvc.Async.<>c_DisplayClass1.b_0() +15 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +606 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18055

2
c#asp.net-mvc-3teradata
Could it be that IIS is only configured for Kerberos and not including Ntlm? See link to switch Ntlm on: support.microsoft.com/kb/215383 - user2930590
Is NTLM supported on the Teradata instance using tools like Teradata's SQL Assistant using ODBC/.Net Provider or Studio Express using JDBC? - Rob Paller
I am able to connect locally using integrated security and RazorSQL. I am also able to connect locally using integrated security and Visual Studio 2010 when running the web project. It is only when I deploy to the dev server. It is almost like TeraData doesn't like the ASP.NET impersonation. I don't know how to make it real. - Greg Finzer
Were you able to solve this? - Dennis
@Mr.White We ended up creating a user account for TeraData instead of using integrated authentication. The integrated authentication never worked. - Greg Finzer

2 Answers

0
votes

Looks like the same question was posted on the Teradata forums. They were asked if Integrated Authentication was in use. If it was, a bug would need to be filed because this points to a failure of Kerberos failing back to NTLM. If Integrated Authentication wasn't needed, the connection string needed to be updated.

There was no response.

I presume this means it's a common double-hop issue which would be solved by getting a correct implementation of Kerberos running or changing the connection string to use an explicit account.

0
votes

IF your resource is on a different server to IIS (or the config files think it is, try swapping the name to the IP address of the resource your trying to access) then your likely getting a double hop issue, and NTLM will be used to authenticate unless your resource is on a server that is setup for Active directory delegation. In short NTLM will never succeed, you need to use delegation and Kerberos will see http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx