What you are asking for seems possible, and I'm pretty sure I've seen it done.
To clarify, you want to have the Web Gateway perform authentication using NTLM first, if that fails, reprompt the user and try against LDAP. Is this correct? Once I get clarification on that, I'll try and mock something up.
In regards to the default domain, Web Gateway does allow you to set a "default domain", so if a browser does not send a domain then it will fall back to the specified domain (this is set in the default domain settings for the NTLM). BUT, by default IE for example will send the computer name as the domain so the Web Gateway will interpret that as the domain (which it should). Firefox for reference does NOT send a domain so Web Gateway can assume the default domain based on your settings. tl;dr: no, the default domain cannot be substituted because browser (IE) sends a domain by default
Hi Jon, That is correct. The best solution would be to avoid returning any 407 and prompting only once. (Ease of use and avoids confusing end users)
Intergrated auth is only required for SOE / managed desktops. Have been looking to test the useragent / set a cookie and set the auth type, if that fails in the cycle continue with the the currently in place legacy basic authentication (NTLM-AGENT and LDAP) prompts.
1 of 1 people found this helpful
I may have jumped the gun on this, but I'm not sure that we can fallback from NTLM to basic in the manner you described (one prompt). Reason being is that with NTLM the Proxy-Authentication headers are generated using the NTLM method (negociate, challenge, authenticate), but Basic auth is simply a base64 header with the encoded credentials.
If we were only doing basic authentication then this would be possible, because the Web Gateway can then just plug and chug the credentials against and directory you have defined.
But if we're doing NTLM first (the browser will always choose the "best" method it supports) then the Web Gateway cannot take credentials given to it from the client and check them against LDAP (for example) because they are not in an acceptable format to do so.
There is a ruleset in the online rule library :
You must have a login to access that ruleset along with the documentation on the rule (there is a PDF which explains what I have above, in much greater detail).
Perhaps others have found another way to address this type of situation, but based on the information I have found it may not be possible (with one prompt).
Hi Jon, Is there a rule for forms based authentication to capture the credentials? This expect this would address most requirments.
I havent forgot about you.
One of my colleagues (cnewman with some help from dev too) has performed what you described, NTLM Proxy Authentication with fallback to Login page if proxy auth fails.
I recreated it, the rules are a bit complicated, but it appears to work. Almost tooo good...
To give a little background the ruleset will first try NTLM, then fall back to using the login page and query the credentials submitted against a second directory (in my case, the user database). There are some rules in there to make sure the failure runs smoothly (like setting user defined variables and what not).
Check it out and let me know how she runs.
Here is an updated version, I was missing a few rules under the Authentication Server request ruleset.
The PDStorage rules/events are there to avoid strange user behavior incase they access a site with a lot of embedded content (otherwise they may recieve a lot of auth prompts).