0 Replies Latest reply on Oct 11, 2011 2:03 PM by bkirk

    Authentication Woahs!

    bkirk

      We have a complex proxy environment that we are trying to migrate from to MWG.  We would like to:

      1. Authenticate the user with NTLM, if they are on the domain. (Transparent to the user)
      2. ReAuthenticate If they are not on the domain or they are not in a particular AD group. (Prompts the user)
      3. Allow the user to get to a certain group of URLs (ie weather.com) and log the userID if available.
      4. Block the user if they aren't in a particular AD group.

       

      Where I seem to have problems is when the user is authenticated but not in the Internet allowed AD group, and going to weather.com all the parts of weather.com not hosted on weather.com  will keep asking the user to authenticate.

       

      I thought of 2 ways around this but I can't seem to implement them. 

       

      1. Have a default block page that has a button that will cause the user to be reauthenticated.
        or
      2. Once the user has successfully typed in their credentials don't ReAuthenticate for a set period of time.

       

       

      If anyone knows how to do this that would be great, or if you have some other work around, awesome!

       

      Thank you,

      Brian

       

      This was what Erik_Elsasser came up with for a start, but adding the stop rule set for URL matches in list for weather.com between the two rules causes the Second Authentication Attempt to keep happening for all the non weather.com content hosted on weather.com:

       

      NTLM Authentication
      [Ruleset to authenticate the user if user is not authenticated.]

      Enabled
      Applies to Requests: True / Responses: False / Embedded Objects: False
      1: Connection.Protocol equals "HTTP"
      2: OR Connection.Protocol equals "HTTPS"

      Enabled

      Rule

      Action

      Comments

      Events

      Enabled

      Authenticate User database integrated
      1: Authentication.Authenticate<lordchariot.local> equals false

      Authenticate<Default>

      Authenticate the user with the database.

      Enabled

      Allow Whitelisted URLs and Log UserID if authenticated

      1: URL.Host matches in list Whitelist URLs

      Stop Rule Set

      Allow Access to Whitelisted URLs.  This rule is repeated in the category section. And a default block rule should clean up anything else in the category section.

      Enabled

      Second Authentication Attempt
      1: Authentication.Authenticate<lordchariot.local> equals true
      2: AND Authentication.UserGroups does not contain "IN-HDQ-Standard"

      Authenticate<Default>

      This pops up a logon prompt if you are not already in the IN-HDQ-Standard group and a user/password must be entered that is in the group.