We have a complex proxy environment that we are trying to migrate from to MWG. We would like to:
- Authenticate the user with NTLM, if they are on the domain. (Transparent to the user)
- ReAuthenticate If they are not on the domain or they are not in a particular AD group. (Prompts the user)
- Allow the user to get to a certain group of URLs (ie weather.com) and log the userID if available.
- Block the user if they aren't in a particular AD group.
Where I seem to have problems is when the user is authenticated but not in the Internet allowed AD group, and going to weather.com all the parts of weather.com not hosted on weather.com will keep asking the user to authenticate.
I thought of 2 ways around this but I can't seem to implement them.
- Have a default block page that has a button that will cause the user to be reauthenticated.
- Once the user has successfully typed in their credentials don't ReAuthenticate for a set period of time.
If anyone knows how to do this that would be great, or if you have some other work around, awesome!
This was what Erik_Elsasser came up with for a start, but adding the stop rule set for URL matches in list for weather.com between the two rules causes the Second Authentication Attempt to keep happening for all the non weather.com content hosted on weather.com: