Showing results for 
Search instead for 
Did you mean: 
Level 7

Authentication Woahs!

We have a complex proxy environment that we are trying to migrate from to MWG.  We would like to:

  1. Authenticate the user with NTLM, if they are on the domain. (Transparent to the user)
  2. ReAuthenticate If they are not on the domain or they are not in a particular AD group. (Prompts the user)
  3. Allow the user to get to a certain group of URLs (ie and log the userID if available.
  4. Block the user if they aren't in a particular AD group.

Where I seem to have problems is when the user is authenticated but not in the Internet allowed AD group, and going to all the parts of not hosted on  will keep asking the user to authenticate.

I thought of 2 ways around this but I can't seem to implement them. 

  1. Have a default block page that has a button that will cause the user to be reauthenticated.
  2. Once the user has successfully typed in their credentials don't ReAuthenticate for a set period of time.

If anyone knows how to do this that would be great, or if you have some other work around, awesome!

Thank you,


This was what Erik_Elsasser came up with for a start, but adding the stop rule set for URL matches in list for between the two rules causes the Second Authentication Attempt to keep happening for all the non content hosted on

NTLM Authentication
[Ruleset to authenticate the user if user is not authenticated.]

Applies to Requests: True / Responses: False / Embedded Objects: False
1: Connection.Protocol equals "HTTP"
2: OR Connection.Protocol equals "HTTPS"







Authenticate User database integrated
1: Authentication.Authenticate<lordchariot.local> equals false


Authenticate the user with the database.


Allow Whitelisted URLs and Log UserID if authenticated

1: URL.Host matches in list Whitelist URLs

Stop Rule Set

Allow Access to Whitelisted URLs.  This rule is repeated in the category section. And a default block rule should clean up anything else in the category section.


Second Authentication Attempt
1: Authentication.Authenticate<lordchariot.local> equals true
2: AND Authentication.UserGroups does not contain "IN-HDQ-Standard"


This pops up a logon prompt if you are not already in the IN-HDQ-Standard group and a user/password must be entered that is in the group.

0 Kudos