Views:

Problem

ZTSA module fails to sign-in when Trend Vision One is configured with the following settings.

  • The Service Gateway has the Cloud Service Extension enabled and the Forward Proxy Service installed.
  • In Zero Trust Secure Access > Internet Access and AI Service Configuration > Global Settings > Single Sign-On with Active Directory (On-Premises), both "Enable single sign-on" and "Enable single sign-on using NTLM v2 authentication" are checked.

    Unable to Sign In

    Click the image to enlarge.

Root Cause

The issue is casued by ZTSA module version 2.22.1036 that uses the Service Gateway to connect to an NTLM authentication proxy for sign-in.

If the Cloud Service Extension is enabled then the Service Gateway routes traffic to Trend Vision One hosted services.

Since these services are hosted in the public cloud, the Service Gateway may be unable to reach the NTLM authentication proxy, resulting in a sign-in failure.

Solution

To resolve this issue, update the ZTSA module to version 2.23.1042.

In ZTSA module version 2.23.1042 or later, the ZTSA module does not use Service Gateway to connect to the NTLM authentication proxy for sign-in.

Keywords: ZTSA sign-in failed,NTLM authentication issue,Zero Trust Secure Access module rollback,Service Gateway Cloud Service Extension,NTLM authentication proxy problem