cancel
Showing results for 
Search instead for 
Did you mean: 
bornheim
Level 7

"Authentication required" popups

Hi,

my authentication scheme is roughly as follows:

RS: Authenticate with Kerberos

            Criteria: Authentication.IsAuthenticatedequals false

            R: Authenticate with Kerberos

                        Criteria:Authentication.Authenticate <Kerberos> equals false

                                    Stop Rule Set

RS: Authenticate with NTLM

            Criteria: Authentication.IsAuthenticatedequals false

R: Authenticate with NTLM

                        Criteria:Authentication.Authenticate <NTLM> equals false

                                    Stop Rule Set

RS: Get User Groups and Data With LDAP

            Criteria: Authentication.IsAuthenticatedequals true

R: Save UserGroups fromKerberos/NTLM

                                   SetUser-Defined.UserGroups = Authentication.UserGroups

                        R: Get Real Name

                                   Set User-Defined.Realname= List.OfString.ToString(Authentication.GetUserGroups<LDAP_LOOKUP_REALNAME>,"")

                        R: RestoreUserGroups

                                   Set Authentication.UserGroups= User-Defined.UserGroups

RS: Authenticate with User Database

            Criteria: Authentication.IsAuthenticatedequals false

R: Authenticate with User Database

                        Criteria:Authentication.Authenticate <User Database> equals false

                                    Stop Rule Set

RS: Perform Authentication

            Criteria: Authentication.IsAuthenticatedequals false

                        R: Prevent Browser fromtrying Negotiate with NTLM

                                   Criteria: Authentication.RawCredentialsmatches "Negotiate TlRM*"

                                               Authentication.ClearMethodList

                                               Authentication.AddMethod("NTLM","", true)

                        R: PerformAuthentication

                                   Authenticate<Default>

This works pretty well most of the time. However, my users found at least on site where this doesn't work: http://www.wetter.com, they keep getting authentication requests after successfully requesting the site first, then waiting for a minute or so, with Firefox as well as with Internet Explorer.

What I can see in Wireshark (tested with Firefox):

1.) good case

            Q: GET

            A: 407, Proxy-Authenticate:Negotiate & NTLM

            Q: GET, Proxy-Authorization NegotiateTlRM…

            A: 407, Proxy-Authenticate: NTLM

            Q: GET, Proxy-Authorization NTLM TlRM…

            A: 407, Proxy-Authenticate: NTLM TlRM… (NTLMSSP_CHALLENGE)

            Q: GET, Proxy-Authorization NTLM TlRM…

            A: 200

1.) bad case

            Q: GET

            A: 407, Proxy-Authenticate:Negotiate & NTLM

            Q: GET, Proxy-Authorization NegotiateTlRM…

            A: 407, Proxy-Authenticate: NTLM

            Q: GET, Proxy-Authorization NTLM TlRM…

            A: 407, Proxy-Authenticate: NTLM TlRM…

            Q: GET, Proxy-Authorization NTLM TlRM…

            A: 407, Proxy-Authenticate:Negotiate & NTLM *bang*

Obviously Web Gateway seems not to like what Firefox offers for authentication. Except that was good enough some milleseconds before.

Same behaviour when user is not logged into the domain (no SSO in this case) and manually supplies the credentials.

Kind regards,

Robert

Edited by bornheim on 07.03.14 10:37:21 CST
0 Kudos