2 Replies Latest reply on Dec 6, 2010 11:42 PM by salanis

    User Mapping not working with NTLM authentication

      Dear Friends,

       

      Need your expert comments on the belwo issue.

       

      We are using WW6.8.7 with NTLM authentication.

       

      It is observed that sometimes few of the users get "No Authorization" error message.

      When checked it is observed that although user has a proper authorization for access, User Value in the error page shows either the URL field or the IP address which causes the User mapping failure and this happens with any of the user.

       

      How do I trace this issue, since it happens with IE as well as Firefox browser?

      Can someone shed some light as on how to get rid of the issue?

       

      Appreciating your valued comments.

       

       

      Regards,

       

      Sandeep.

        • 1. Re: User Mapping not working with NTLM authentication
          apellepa

          We detected same issue a month ago.

          Investigation shows that the problem at the browser side (browser send authorization request after successfull  authorization).

           

          For business critical sites i open access without authorization (look at page 131 of MWG system configuration administration guide).

          But i think that the McAfee can add some additional measures to help resolve this issue (- do not check authorization if user already authorized).

          • 2. Re: User Mapping not working with NTLM authentication

            In Web Gateway 6.8.7 you can use the ICAP tracing feature located in Configuration > Debugging > Tracing

             

            We recommend using 'Trace connection only for source IP' and enter your client IP only to minize the amount of files created.

             

            When you have your client browser ready for testing then you can check 'Connection tracing' and apply the changes.

             

            When your done testing make sure to uncheck connection tracing and apply the changes.

             

            On that very same page there's a link to open the list of traced connections created whilst testing and you will see many files.

             

            If you take a look at the screen shot I highlighted the two files of interest which contain the letters 'is' as part of the file name.

             

            tracess.jpg

             

            When you open these files you will see something like the image below. The first dot shows my client machine make a CONNECT request to community.mcafee.com, then the ICAP server figures out I am not authenticated and replies with an HTTP 407 - Proxy Authentication Required.

             

            You can use this example if you choose to further troubleshoot on your own. This can be applied to filtering issues as well and thus not limited to authentication. However, If its becoming too much of an issue I would call technical support and have them aid with this issue.

             

            traces2.jpg

             

             

            on 12/6/10 11:42:44 PM CST