6 Replies Latest reply on Jan 19, 2012 6:29 PM by Jon Scholten

    Mixed authentication methods (Fallback from Intergrated to basic)

    ericappelboom

      Hi,

       

      I have configured intergrated authentication for all users which prompts for credentials if not domain joined which works as expected however I have another LDAP user directory that should be queried. MWG appears to only allow Basic auth intergration with a LDAP directory. Ay ideas how this can be done?

       

      In addition does MWG allow the default intergrated authentication domain to be set avoiding users from typing domain\ before usernames(on non domain joined client authentication prompts). I know this is generally not supported.

       

      Eric

       

      Message was edited by: ericappelboom on 2/01/12 10:22:14 PM
        • 1. Re: Mixed authentication methods (Fallback from Intergrated to basic)
          Jon Scholten

          Hi Eric!

           

          What you are asking for seems possible, and I'm pretty sure I've seen it done.

           

          To clarify, you want to have the Web Gateway perform authentication using NTLM first, if that fails, reprompt the user and try against LDAP. Is this correct? Once I get clarification on that, I'll try and mock something up.

           

          In regards to the default domain, Web Gateway does allow you to set a "default domain", so if a browser does not send a domain then it will fall back to the specified domain (this is set in the default domain settings for the NTLM). BUT, by default IE for example will send the computer name as the domain so the Web Gateway will interpret that as the domain (which it should). Firefox for reference does NOT send a domain so Web Gateway can assume the default domain based on your settings. tl;dr: no, the default domain cannot be substituted because browser (IE) sends a domain by default

           

          ~jon

           

          Message was edited by: jscholte added: "Once I get clarification on that, I'll try and mock something up." on 1/5/12 2:06:42 PM CST
          • 2. Re: Mixed authentication methods (Fallback from Intergrated to basic)
            ericappelboom

            Hi Jon, That is correct. The best solution would be to avoid returning any 407 and prompting only once. (Ease of use and avoids confusing end users)

            Intergrated auth is only required for SOE / managed desktops. Have been looking to test the useragent / set a cookie and set the auth type, if that fails in the cycle continue with the the currently in place legacy basic authentication (NTLM-AGENT and LDAP) prompts.

             

            Thoughts

            Eric

            • 3. Re: Mixed authentication methods (Fallback from Intergrated to basic)
              Jon Scholten

              I may have jumped the gun on this, but I'm not sure that we can fallback from NTLM to basic in the manner you described (one prompt). Reason being is that with NTLM the Proxy-Authentication headers are generated using the NTLM method (negociate, challenge, authenticate), but Basic auth is simply a base64 header with the encoded credentials.

               

              If we were only doing basic authentication then this would be possible, because the Web Gateway can then just plug and chug the credentials against and directory you have defined.

               

              But if we're doing NTLM first (the browser will always choose the "best" method it supports) then the Web Gateway cannot take credentials given to it from the client and check them against LDAP (for example) because they are not in an acceptable format to do so.

               

              There is a ruleset in the online rule library :

              https://contentsecurity.mcafee.com/ruleset_library/dl?type=package&rule_id=50014

               

              You must have a login to access that ruleset along with the documentation on the rule (there is a PDF which explains what I have above, in much greater detail).

               

              Perhaps others have found another way to address this type of situation, but based on the information I have found it may not be possible (with one prompt).

               

              Best Regards,

              Jon

              1 of 1 people found this helpful
              • 4. Re: Mixed authentication methods (Fallback from Intergrated to basic)
                ericappelboom

                Hi Jon, Is there a rule for forms based authentication to capture the credentials? This expect this would address most requirments.

                • 5. Re: Mixed authentication methods (Fallback from Intergrated to basic)
                  Jon Scholten

                  Hey Eric,

                   

                  I havent forgot about you.

                   

                  One of my colleagues (cnewman with some help from dev too) has performed what you described, NTLM Proxy Authentication with fallback to Login page if proxy auth fails.

                   

                  I recreated it, the rules are a bit complicated, but it appears to work. Almost tooo good...

                   

                  To give a little background the ruleset will first try NTLM, then fall back to using the login page and query the credentials submitted against a second directory (in my case, the user database). There are some rules in there to make sure the failure runs smoothly (like setting user defined variables and what not).

                   

                  Check it out and let me know how she runs.

                   

                  ~Jon

                  • 6. Re: Mixed authentication methods (Fallback from Intergrated to basic)
                    Jon Scholten

                    Here is an updated version, I was missing a few rules under the Authentication Server request ruleset.

                     

                    The PDStorage rules/events are there to avoid strange user behavior incase they access a site with a lot of embedded content (otherwise they may recieve a lot of auth prompts).

                     

                    ~Jon