5 Replies Latest reply on Jul 25, 2012 7:49 AM by asabban

    auth popup on thin client

    fwmonitor

      Hello,

       

      we have a setup with thin clients and ldap auth which works good if only a few clients accessing the internet. But the users starting getting auth popup if the number of users increase.

       

      [thin client]
      |
      10.0.0.0/24
      |
      [squid + openldap on solaris (multihome)]
      |
      172.16.0.0/24
      |
      [mwg7]
      |
      [firewall]
      |
      Internet
      

       

      The squid passes the Auth Header and X-Forwarded-For to the MWG7. In mwg-core_Auth I see messages like:

      Authentication didn't return values, failure ID: 4, authentication failed: 0

      Authentication didn't return values, failure ID: 6, authentication failed: 1

      Authentication didn't return values, failure ID: 8, authentication failed: 1

       

      what these error IDs mean?

       

      There are no errors in openldap log.

       

      the tcpdump shows the MWG suddenly answers with 407 despite provided Proxy-Authorization header with correct credentials:

       

      POST http://www.focus.de/ajax/catchline/ HTTP/1.0
      Host: www.focus.de
      User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; de; rv:1.9.2.16) Gecko/20110324 Firefox/3.6.16
      Accept: */*
      Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      X-Requested-With: XMLHttpRequest
      Referer: http://www.focus.de/
      Content-Length: 33
      Cookie: OmniUserID=1340191842695; __utma=188002103.477138154
      Proxy-Authorization: Basic dXNlcjpwYXNz
      Pragma: no-cache
      Via: 1.1 proxy:9090 (squid/2.7.STABLE6)
      X-Forwarded-For: 10.0.0.5
      Cache-Control: no-cache, max-age=259200
      Proxy-Connection: keep-alive
      
      nDateFetch=1340192451&sMode=fetch
      
      
      HTTP/1.0 407 authenticationrequired
      Via: 1.0 172.16.0.245 (McAfee Web Gateway 7.2.0.1.0.13253)
      Content-Type: text/html
      Cache-Control: no-cache
      Content-Length: 2802
      Proxy-Connection: Keep-Alive
      Proxy-Authenticate: Basic realm="McAfee Web Gateway"
      

       

      mwg-core__Auth:

       

      [2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) URL: http://www.focus.de/ajax/catchline/
      [2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) Configuration: LDAP-Schule Connection: 0x7fe7c08fe120 RR: 0x2c64610
      [2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) Incoming credentials: Basic dXNlcjpwYXNz
      [2012-06-20 13:43:45.524 +02:00] [6345] LDAP (291834, 10.0.0.5) User entry not found in user cache
      [2012-06-20 13:43:45.528 +02:00] [6265] LDAP (291834, 10.0.0.5) Mapping of user name "user" to DN returned 0 ""
      [2012-06-20 13:43:45.528 +02:00] [6346] LDAP (291834, 10.0.0.5) Added authentication method: Basic realm="McAfee Web Gateway"
      [2012-06-20 13:43:45.528 +02:00] [6346] LDAP (291834, 10.0.0.5) Authentication didn't return values, failure ID: 8, authentication failed: 1
      

       

       

      If I disable auth caching the problem getting only worse. Similar problem: https://community.mcafee.com/message/218256

      some ideas how to troubleshoot?

      best regards

       

      on 20.06.12 13:24:48 CDT

       

      on 20.06.12 13:33:56 CDT
        • 1. Re: auth popup on thin client
          asabban

          Hello,

           

          the messages from the auth log file indicate that there is a problem which prevents MWG from successfully talking to the LDAP server and retrieving the attributes for the user "user". When you state that this only happens under some load and gets worse with disabling the cache I believe there may be connectivity problems between MWG and the LDAP server.

           

          It seems like MWG is not able to connect to the LDAP server. Are you able to check log files on the LDAP server or any router/firewall that is between MWG and the LDAP server and see if you see any reason why a connection may be dropped? Maybe the LDAP server is overloaded from a networking perspective (which would explain why the LDAP server itself does not log anything). If there is no indication I recommend to run a tcpdump on MWG and capture all traffic for LDAP (port 389) and reproduce the problem. This may help to better understand what is happening on the network layer.

           

          best,

          Andre

           

          Nachricht geändert durch asabban on 22.06.12 06:40:43 CDT
          • 2. Re: auth popup on thin client
            fwmonitor

            Hello,

             

            actually I did capture the whole traffic and can see the LDAP communication with successful responses (bindResponse success and searchResDone success) but the MWG does only bindRequest without to ask for attributes, that results in "Authentication didn't return values, failure ID: 4, authentication failed: 0" - the auth (bind) is successful, but auth didn't return attributes, because MWG _didn't ask_ for them.

             

            I can provide a pcap file (already filtered).

             

            regards

             

            P.S. for these entries from mwg-core__Auth there are no ldap packets at all:

            [2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) URL: http://stat.flashtalking.com/reportV3/ft.stat?4215270-0-310-0-1632A4505D2E06-667590-548x0x0x0
            [2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) Configuration: LDAP-Schule Connection: 0x2b95070 RR: 0x2c60ba0
            [2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) Added authentication method: Basic realm="McAfee Web Gateway"
            [2012-06-20 13:43:51.392 +02:00] [6321] LDAP (291857, 10.0.0.5) Authentication didn't return values, failure ID: 4, authentication failed: 0
            

             

             

            on 22.06.12 10:39:18 CDT
            • 3. Re: auth popup on thin client
              asabban

              Hello,

               

              sorry for the late response. Did you already file an SR about this issue in the meantime? If there is still need to look into this topic please upload the pcap file to our FTP server and send me the filename so that we can have a look.

               

              Best,

              Andre

              • 4. Re: auth popup on thin client
                fwmonitor

                Hello,

                 

                yes, 3-2245670072, created 20.June.2012. I've just updated with a new information.

                 

                regards

                • 5. Re: auth popup on thin client
                  asabban

                  Hello,

                   

                  thank you for the SR number. I had a quick look with support at the data yesterday, but I think some further troubleshooting is required here. I will leave it up to support/engineering to work with the data.

                   

                  Best,

                  Andre