cancel
Showing results for 
Search instead for 
Did you mean: 
bkirk
Level 7

Authentication Woahs!

We have a complex proxy environment that we are trying to migrate from to MWG.  We would like to:

  1. Authenticate the user with NTLM, if they are on the domain. (Transparent to the user)
  2. ReAuthenticate If they are not on the domain or they are not in a particular AD group. (Prompts the user)
  3. Allow the user to get to a certain group of URLs (ie weather.com) and log the userID if available.
  4. Block the user if they aren't in a particular AD group.

Where I seem to have problems is when the user is authenticated but not in the Internet allowed AD group, and going to weather.com all the parts of weather.com not hosted on weather.com  will keep asking the user to authenticate.

I thought of 2 ways around this but I can't seem to implement them. 

  1. Have a default block page that has a button that will cause the user to be reauthenticated.
    or
  2. Once the user has successfully typed in their credentials don't ReAuthenticate for a set period of time.

If anyone knows how to do this that would be great, or if you have some other work around, awesome!

Thank you,

Brian

This was what Erik_Elsasser came up with for a start, but adding the stop rule set for URL matches in list for weather.com between the two rules causes the Second Authentication Attempt to keep happening for all the non weather.com content hosted on weather.com:

NTLM Authentication
[Ruleset to authenticate the user if user is not authenticated.]

Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: Connection.Protocol equals "HTTP"
2: OR Connection.Protocol equals "HTTPS"

Enabled

Rule

Action

Comments

Events

Enabled

Authenticate User database integrated
1: Authentication.Authenticate<lordchariot.local> equals false

Authenticate<Default>

Authenticate the user with the database.

Enabled

Allow Whitelisted URLs and Log UserID if authenticated

1: URL.Host matches in list Whitelist URLs

Stop Rule Set

Allow Access to Whitelisted URLs.  This rule is repeated in the category section. And a default block rule should clean up anything else in the category section.

Enabled

Second Authentication Attempt
1: Authentication.Authenticate<lordchariot.local> equals true
2: AND Authentication.UserGroups does not contain "IN-HDQ-Standard"

Authenticate<Default>

This pops up a logon prompt if you are not already in the IN-HDQ-Standard group and a user/password must be entered that is in the group.

0 Kudos