In our environment I am using NTM authentication so the users whose PC's are part of active directory domain and they login to their PC's by domain credentials are allowed to use internet. This is fine. Recently we have some summer interns and for those I want to use local database of web gate way. But I noticed if I enabled user database rule, my users who are regular office staff also started getting prompt for user name and password.
See attached screen shot, in the screen shot you can see the user database rule is disabled while NTLM is enabled as it is in use, but for temporary summer guys 2/3 persons I want to use internal DB, can you please assist what is the possible way to get this going.
The reason why your domain users get prompted by authentication is because all of your traffic goes to your Local database authentication rule.
When a DOMAIN user accesses a webpage, its traffic will go first in the Authentication: User Database rule.
With this, all of your proxy users will get prompted with authentication and STOPS there if no valid credentials were entered.
It will not fall down to your AD authentication since the action "Authenticate" blocks their request from that point onward.
A good way to perform multiple auth is bgartama's solution where a "Continue" action is used for each auth rule and a blocking rule at the bottom of your authentication ruleset.
The rules within must not be interchanged or else the desired result wont be accomplished.
To discuss further this ruleset,
First rule is the 'AD authentication rule', 2nd is the 'Database auth rule' with an auth property equals false, and the last is 'block unauthorized users'.
Reason why AD rule goes first is to avoid the domain users to get prompted by the web gateway for authentication which happens if the database auth is configured first.
Valid domain users will not trigger the database rule nor the third rule. Reason is that they have already been authorized by the MWG thru AD, thus the property 'Authentication.IsAuthenticated equals false' is not met.
Your local users will also go to the AD authentication but will fall down to the next rule as they are not part of your domain.
If valid credentials were given, MWG will then give an authorization to these users.
Now, if the user is not member of the domain, and if wrong credentials were given, MWG will then block the requests with the last rule, "Perform Authentication". The action "Authenticate" will block these requests as the property "Authentication.IsAuthenticated equals false" is fired.
Sorry for responding late about my results for this, today I followed your screen shot and now attaching here my screen shot for understanding:
I tested with AD user it went through from the first rule, then I tested with user name created in local database of gateway, it went through the second rule, and lastly when entering wrong credentials the requested is stopped by last rule where property 'authentication.IsAuthenticated equals false kicks in'
Now the only difference I see between your screen shot and mine is that the 'Responses' and 'Embedded Objects' is selected in your image but in my settings, they are grayed out, I can not enable them, I don't know why , Can you assist if this is needed and how to enable it.
waiting for your response.
No need to worry about that because what's configured in yours is more appropriate.
bgartma's ruleset could have been a ruleset he immediately created for your eyes only or he could have a different proxy setup.
We only need to apply the rule to "Request" cycles as the proxy server only needs to ask and check for authentication when you request for a website and not when the web servers respond to your request.
There is rule available in Online library at https://contentsecurity.mcafee.com/ruleset_library/dl?type=package&rule_id=50014
Which combinates AD, LDAP and local MWG DB. Maybe this can help.