cancel
Showing results for 
Search instead for 
Did you mean: 
fwmonitor
Level 7

auth popup on thin client

Hello,

we have a setup with thin clients and ldap auth which works good if only a few clients accessing the internet. But the users starting getting auth popup if the number of users increase.

[thin client]
|
10.0.0.0/24
|
[squid + openldap on solaris (multihome)]
|
172.16.0.0/24
|
[mwg7]
|
[firewall]
|
Internet

The squid passes the Auth Header and X-Forwarded-For to the MWG7. In mwg-core_Auth I see messages like:

Authentication didn't return values, failure ID: 4, authentication failed: 0

Authentication didn't return values, failure ID: 6, authentication failed: 1

Authentication didn't return values, failure ID: 8, authentication failed: 1

what these error IDs mean?

There are no errors in openldap log.

the tcpdump shows the MWG suddenly answers with 407 despite provided Proxy-Authorization header with correct credentials:

POST http://www.focus.de/ajax/catchline/ HTTP/1.0
Host: www.focus.de
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; de; rv:1.9.2.16) Gecko/20110324 Firefox/3.6.16
Accept: */*
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.focus.de/
Content-Length: 33
Cookie: OmniUserID=1340191842695; __utma=188002103.477138154
Proxy-Authorization: Basic dXNlcjpwYXNz
Pragma: no-cache
Via: 1.1 proxy:9090 (squid/2.7.STABLE6)
X-Forwarded-For: 10.0.0.5
Cache-Control: no-cache, max-age=259200
Proxy-Connection: keep-alive

nDateFetch=1340192451&sMode=fetch


HTTP/1.0 407 authenticationrequired
Via: 1.0 172.16.0.245 (McAfee Web Gateway 7.2.0.1.0.13253)
Content-Type: text/html
Cache-Control: no-cache
Content-Length: 2802
Proxy-Connection: Keep-Alive
Proxy-Authenticate: Basic realm="McAfee Web Gateway"

mwg-core__Auth:

[2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) URL: http://www.focus.de/ajax/catchline/
[2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) Configuration: LDAP-Schule Connection: 0x7fe7c08fe120 RR: 0x2c64610
[2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) Incoming credentials: Basic dXNlcjpwYXNz
[2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) User entry not found in user cache
[2012-06-20 13:43:45.528 +02:00] [6265] LDAP (291834, 10.0.0.5) Mapping of user name "user" to DN returned 0 ""
[2012-06-20 13:43:45.528 +02:00] [6346] LDAP (291834, 10.0.0.5) Added authentication method: Basic realm="McAfee Web Gateway"
[2012-06-20 13:43:45.528 +02:00] [6346] LDAP (291834, 10.0.0.5) Authentication didn't return values, failure ID: 8, authentication failed: 1

If I disable auth caching the problem getting only worse. Similar problem: https://community.mcafee.com/message/218256

some ideas how to troubleshoot?

best regards

on 20.06.12 13:24:48 CDT

on 20.06.12 13:33:56 CDT
0 Kudos
5 Replies
asabban
Level 17

Re: auth popup on thin client

Hello,

the messages from the auth log file indicate that there is a problem which prevents MWG from successfully talking to the LDAP server and retrieving the attributes for the user "user". When you state that this only happens under some load and gets worse with disabling the cache I believe there may be connectivity problems between MWG and the LDAP server.

It seems like MWG is not able to connect to the LDAP server. Are you able to check log files on the LDAP server or any router/firewall that is between MWG and the LDAP server and see if you see any reason why a connection may be dropped? Maybe the LDAP server is overloaded from a networking perspective (which would explain why the LDAP server itself does not log anything). If there is no indication I recommend to run a tcpdump on MWG and capture all traffic for LDAP (port 389) and reproduce the problem. This may help to better understand what is happening on the network layer.

best,

Andre

Nachricht geändert durch asabban on 22.06.12 06:40:43 CDT
0 Kudos
fwmonitor
Level 7

Re: auth popup on thin client

Hello,

actually I did capture the whole traffic and can see the LDAP communication with successful responses (bindResponse success and searchResDone success) but the MWG does only bindRequest without to ask for attributes, that results in "Authentication didn't return values, failure ID: 4, authentication failed: 0" - the auth (bind) is successful, but auth didn't return attributes, because MWG _didn't ask_ for them.

I can provide a pcap file (already filtered).

regards

P.S. for these entries from mwg-core__Auth there are no ldap packets at all:

[2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) URL: http://stat.flashtalking.com/reportV3/ft.stat?4215270-0-310-0-1632A4505D2E06-667590-548x0x0x0
[2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) Configuration: LDAP-Schule Connection: 0x2b95070 RR: 0x2c60ba0
[2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) Added authentication method: Basic realm="McAfee Web Gateway"
[2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) Authentication didn't return values, failure ID: 4, authentication failed: 0


on 22.06.12 10:39:18 CDT
0 Kudos
asabban
Level 17

Re: auth popup on thin client

Hello,

sorry for the late response. Did you already file an SR about this issue in the meantime? If there is still need to look into this topic please upload the pcap file to our FTP server and send me the filename so that we can have a look.

Best,

Andre

0 Kudos
fwmonitor
Level 7

Re: auth popup on thin client

Hello,

yes, 3-2245670072, created 20.June.2012. I've just updated with a new information.

regards

0 Kudos
asabban
Level 17

Re: auth popup on thin client

Hello,

thank you for the SR number. I had a quick look with support at the data yesterday, but I think some further troubleshooting is required here. I will leave it up to support/engineering to work with the data.

Best,

Andre

0 Kudos