I try to achieve something that seemed to be easy in MWG6: LDAP authentication against an Active Directory and if that fails: authentication against the user database:
For LDAP authentication I defined the proxy realm to be "McAfee Web Gateway (LDAP)", for user database authentication I defined proxy realm to be "McAfee Web Gateway (User-DB)".
What I see now is this:
1.) On the first request, Firefox asks for user name and password, the realm is moz-proxy://22.214.171.124:8080". This is IP and port of a Squid proxy between the browser and MWG. Sort of OK
1a.) If I provide correct LDAP credentials, Firefox just repeats the question. Not OK.
1b.) If I provide correct user database credentials, I get logged in. OK.
2.) If I click "Cancel" immediately on the first authentication request, Firefox again aks for user name and password, the realm is "McAfee Web Gateway (LDAP)".
2a.) If I provide correct LDAP credentials, I get authenticated succesfully. Sort of OK. Why not in the first place?
2b.) If I provide correct user database credentials, I get authenticated succesfully. Sort of OK.
2c.) If I click on "Cancel" instead, Firefox shows me the "The proxy server is refusing connections" page. OK.
3.) If I provide INCORRECT credentials on the first authentication request, then click "Cancel", Firefox again aks for user name and password, the realm is "McAfee Web Gateway (User-DB)". Interesting.
3a.) If I provide correct credentials now (LDAP or user database), I get authenticated successfully. Sort of OK. Why not in the first place?
Could someone please provide some insight?
Clairfy something here.
Are you saying you have 2 proxies chained and squid is authenticating?
Client -> Squid -> MWG -> Internet
you are not allowed to do this. Only the first proxy can do browser authication.
Yes, this (Client > Squid > MWG > Internet) is the configuration. I am not aware why this should be forbidden. Is there any part in the documentation stating this issue?
And why should it be working (allowed or not) with MWG6 but not with MWG7?
It is not a restriction of MWG, per se, but a restriction with the HTTP protocol. It's forbidden in the RFC.
The only suggestion is to somehow put the username into an X-Authenticated-User: and X-Authenticated-Groups: header in the request and have MWG strip those out and use them.
Unfortunately, i don't think Squid and insert custom headers like that, but 2 MWGs in a row can.