1 2 Previous Next 12 Replies Latest reply on Mar 6, 2013 7:32 AM by lukas.rajgl

    Authentication issue

      Hi Guys,

       

      I am facing authentication issue with  a public site sgplive.barcap.com (requires login). Once logged in will have to click on an internal link to initiate a connection to citrix server which prompts for a login.

      Even if I enter the credentials it doesnt get past !

       

      when I by pass the proxy it works fine, but via MWG it prompts a  for login.  Herewith attaching the tcpdump for the same, appreciate your valuable suggestions.

       

      Cheers

      Srini

        • 1. Re: Authentication issue
          asabban

          Hi Srini,

           

          I took a very quick look into the capture, but it seems that most of the interesting part is happening within the SSL tunnel. Maybe you want to file a service request with support, since they can have a deeper look into this specific issue.

           

          To collect data about what is happening in the SSL tunnel you could try to enable connection traces as well, which log the traffic that MWG sees and will also contain the communication from within the tunnel (if SSL Scanner is enabled). One thing you may want to try is having a whitelist entry for the domain causing the issue and skipping filters and authentication. Maybe you could also skip SSL Scanner to prevent MWG from touching the traffic, and simply pass it along. If it works then we know that it is probably a filter, SSL Scanner, Authentication or something similar that causes the issues. If it still does not work, probably the server does not like a proxy in the loop.

           

          Best,

          Andre

          • 2. Re: Authentication issue

            Hi Andre,

             

            Apologies for the delay,

             

            Since I dont have the login credentials, I wil have to wait for the user availability to test the suggested scenarios.

             

            Will test and let you guys know.

             

            Cheers

            Srini

            • 3. Re: Authentication issue
              asabban

              Hi Srini,

               

              thats fine. Let us know if you got the chance to test.

               

              Best,

              Andre

              • 4. Re: Authentication issue

                H Andre,

                 

                I tested it out by whitelisting and it din't work. But when I bypass authentication it works fine.Also tried disabling SSL scanner, still the same. since there is no other rule between authentication and whitelisting, I strongly believe its got something to do with the authentication for the site.

                Herewith attaching the Authentication bypassed capture and the non working one and SSL scanner disabled

                 

                Message was edited by: srini2411 on 3/19/12 1:50:43 AM CDT

                 

                Message was edited by: srini2411 on 3/19/12 2:11:11 AM CDT
                • 5. Re: Authentication issue
                  asabban

                  Hi Srini,

                   

                  thank you for the traces. There is only one difference I can find but I can´t promise that this is the problem.

                   

                  A lot of CONNECT requests are made. but all of them seem to be authenticated fine, e.g. the client sends a CONNECT request, MWG answers with a "407" to ask for authentication, and the client starts to authenticate. Once authentication is done all looks good. But there is ony connection going to tocket.barcap.com which seems to behave differently. In the trace without authentication the client requests this URL and data goes back and forth as expected.

                   

                  With authentication enabled the client asks for this URL, MWG sends a "407" to ask the client to authenticate, but no more data is coming. The client does not come back again and send credentials to MWG so this part of the communication is never established. You could try to only whitelist this host from authentication, maybe this is already suitable to allow the site to work fine. If that does not help you may want to file a support ticket as well, to have support look into the issue as well.

                   

                  Best,

                  Andre

                  • 6. Re: Authentication issue
                    Troja

                    Hi Srnini2411,

                    we solved a problem yesterday with a Citirx ICA Client at a customer. Are you using such a clilent.

                     

                    We figured out the following behaviour with ICA. When anything is changed in the communication the ICA Client tries to connect directly to the citrix server.

                    Check this in the command line: netstat -na |find /i "syn"

                    If you get an result you have the same troubles as we resolved yesterday. :-)

                     

                    The second problem was a coaching Ruleset for uncategorized WebSites. ICA is not clicking the "Continue" Button. *g*

                     

                    Try the debugging RuleSet. Perhaps you can figure out something.

                     

                    Cheers,

                    Thorsten

                     

                    Nachricht geändert durch Troja on 22.03.12 10:12:36 MEZ
                    • 7. Re: Authentication issue

                      Hi Thorsten,

                       

                      That's interesting, actually there is an internal link which initiates a citrix connection. Let me try the suggested command and get back.

                       

                      Cheers

                      Srini

                      • 8. Re: Authentication issue

                        Hi Andre,

                         

                        Thanks for the suggestion, let me try the same aswell.

                         

                        Cheers

                        Srini.

                        • 9. Re: Authentication issue

                          Hi Thorsten,

                           

                          I did try running the suggested command netstat -na |find /i "syn" on the users machine and found the below as attached.

                           

                          May I Know what had caused and what was the fix in your case ?

                           

                          Cheers

                          Srini

                           

                          Message was edited by: srini2411 on 3/26/12 4:24:44 AM CDT
                          1 2 Previous Next