cancel
Showing results for 
Search instead for 
Did you mean: 
sandeepsutar
Level 7

User Mapping not working with NTLM authentication

Dear Friends,

Need your expert comments on the belwo issue.

We are using WW6.8.7 with NTLM authentication.

It is observed that sometimes few of the users get "No Authorization" error message.

When checked it is observed that although user has a proper authorization for access, User Value in the error page shows either the URL field or the IP address which causes the User mapping failure and this happens with any of the user.

How do I trace this issue, since it happens with IE as well as Firefox browser?

Can someone shed some light as on how to get rid of the issue?

Appreciating your valued comments.

Regards,

Sandeep.

0 Kudos
2 Replies
apellepa
Level 8

Re: User Mapping not working with NTLM authentication

We detected same issue a month ago.

Investigation shows that the problem at the browser side (browser send authorization request after successfull  authorization).

For business critical sites i open access without authorization (look at page 131 of MWG system configuration administration guide).

But i think that the McAfee can add some additional measures to help resolve this issue (- do not check authorization if user already authorized).

0 Kudos
salanis
Level 10

Re: User Mapping not working with NTLM authentication

In Web Gateway 6.8.7 you can use the ICAP tracing feature located in Configuration > Debugging > Tracing

We recommend using 'Trace connection only for source IP' and enter your client IP only to minize the amount of files created.

When you have your client browser ready for testing then you can check 'Connection tracing' and apply the changes.

When your done testing make sure to uncheck connection tracing and apply the changes.

On that very same page there's a link to open the list of traced connections created whilst testing and you will see many files.

If you take a look at the screen shot I highlighted the two files of interest which contain the letters 'is' as part of the file name.

tracess.jpg

When you open these files you will see something like the image below. The first dot shows my client machine make a CONNECT request to community.mcafee.com, then the ICAP server figures out I am not authenticated and replies with an HTTP 407 - Proxy Authentication Required.

You can use this example if you choose to further troubleshoot on your own. This can be applied to filtering issues as well and thus not limited to authentication. However, If its becoming too much of an issue I would call technical support and have them aid with this issue.

traces2.jpg

on 12/6/10 11:42:44 PM CST
0 Kudos