9 Replies Latest reply on Aug 2, 2011 3:02 PM by jgodbout

    Authentication without a pop-up

      Our management is picky. They don't ever want to see a pop-up box for authentication.

       

      We are using Proxy HA mode, mwg7.x and NTLM authentication. As long as the users are in Chrome or IE they don't get a pop up. They get authenticated and get to webpages based on the groups they belong to.

      In firefox, a username and password are prompted.

      In certain apps like dropbox, zune software, akamai downloader ... you can't specify a username and password for the proxy and the app just fails to work.

       

      Is there a good way to go about this?

       

      I'm not sure what the ruleset would look like for this scenario.

       

      Thanks any help,

      Joel.

        • 1. Re: Authentication without a pop-up

          In a nutshell, internet explorer/chrome users we want to use the ntlm authentication, everything else we want to just automatically get the unauthenticated ruleset.

          • 2. Re: Authentication without a pop-up

            For background auth with firefox, you can put your gateway IP with port in network.automatic-ntlm-auth.trusted-uris setting.  You can get to that by typing in about:config in the url window.

             

            our examples are as follows:  https://webgateway01:10000,https://webgateway02:10000, etc.  The computer has to be on the domain though I believe in order for it to work???.  You are correc though, some apps just fail with background auth and our rinky dinky workaround is to open up a browser and then it works.

            • 3. Re: Authentication without a pop-up
              jont717

              Joel,

               

              In firefiox, search for and install the Add-On NTLMAuth. 

               

              Once installed, look under Tools. You then place your MWG address into the list and that allows Firefox to pass NTLM authentication in the background. Add one for http:// and https://

               

              No more pop-ups.  Works great.

               

              As for the other applications, if there is no place to put in proxy settings (which most programs do have), you will have to make a rule set to allow those programs through without authentication.  This is the only way to do it.  You do this by User-Agent.  Check your logs when you use those programs and you will see what User-Agent it is coming up as.  Then you make a rule in your authentication rule set that says, if it is this user-agent, then skip authentication.

              1 of 1 people found this helpful
              • 4. Re: Authentication without a pop-up

                An example of a program that doesn't work is dropbox. It has proxy settings but when set it to auto it doesn't work. If I put it in manually with the ip and user/pass it still doesn't work.

                IE/Firefox/Chrome work fine with the proxy.

                These little apps do not. When I googled what user-agent dropbox uses I came up with 'it doesn't use one'.

                If I put 'dropbox.com' in our global whitelist it doesn't work either.

                Very frustrating.

                • 5. Re: Authentication without a pop-up

                  I could be wrong, but as i recall when i tested the drop box client a few months ago, it used the proxy settings in IE, but it could not use SSL decryption and NTLM authentication. I think it did use BasicAuth, however.

                   

                  Like i said, i could be wrong.

                  • 6. Re: Authentication without a pop-up
                    Jon Scholten

                    What do the logs show? This should contain all the information needed in order to bypass for it.

                     

                    The logs can be found under Troubleshooting > Log files.

                     

                    This should contain a user-agent if one is present (Header.Request.Get("User-Agent")), and also show you the domains it is accessing, in case it is not just "dropbox.com" (which I know that it is not, I dont remeber the exact format of their URLs).

                     

                    ~Jon

                    1 of 1 people found this helpful
                    • 7. Re: Authentication without a pop-up

                      Not seeing anything in the access log. Would it be in another one?

                      clientXX.dropbox.com is the syntax they use. Under my global whitelist url.host is in list with dropbox.com being in the list didn't work.

                      header.request.get("User-Agent") equals "" is what I was using to capture the blank user agent. Also didn't work.

                       

                      Eelsasser, what do you mean it can't use SSL decryption and NTLM authentication? How do I account for that on the McAfee?

                       

                      Thanks,

                      Joel

                      • 8. Re: Authentication without a pop-up

                        Ok, you made me break out my test machine again

                         

                         

                        When you try to run drop box, it has proxy settings.

                        dropbox1.JPG

                        It will honor IE settings, but won't work because of NTLM authentication. It cannot discover the plain-text password from the machine to use in BasicAuth.

                        You have to setup the client explicitly:

                        DropBox7.JPG

                         

                        This will allow autehntication to work:

                        DropBox5.JPG

                         

                        After that, if you have SSL encryption turned on, it will fail:

                        DropBox2.JPG

                         

                        It fails because the drop box client expects a particular CA and it will not accept the gateway's CA.

                        DropBox3.JPG

                         

                        So you have to turn off SSL scanning for *.dropbox.com.

                        (And you will not be able to see the user-agent as attempted above.)

                         

                        Once you turn off ssl scanning, then and only then can you connect:

                        DropBox6.JPG

                         

                        So, you can use drop box, but...

                        you must use BasicAuth and enter your password into the client explicitly.

                        you cannot do SSL scanning (especially antimalware scanning) on the traffic.

                        • 9. Re: Authentication without a pop-up

                          Perfect. Thanks!

                          I have applied that to Dropbox and a couple other apps that I was having problems with and that has fixed them as well.