4 Replies Latest reply: Jun 28, 2013 3:48 AM by ser_caretower RSS

    Authentication Box on IE from the same host by different AD users

    ser_caretower

      Hi all,

       

      We are trying to implement the next config in our library:

       

      Basically we have a group of users and groups defined on AD Server. 

      We have 1 machine which is always loggued as Guest1. The machine Guest1 is DHCP dinamically assigned so no chances to toy with the IP address config

      From the session Guest1 we have 3 different users that browse internet ( google, yahoo, etc) and an internal application server.

       

      We are looking for an authentication dialog box everytime Guest1 go to 10.10.10.10 which is the application server.

      Then credentials will be prompted so Doctor1, Doctor2 or Consultant1 can login into the application.

      When Internet Explore closes and launches again, when going to 10.10.10.10 has to request new credentials, as the user behind that session could be Doctor2, or Consultant.

       

      You can have a look on the picture attached where a use case is shown.

       

      The users Doctor1, Doctor2, Consultant and Guest are users of the AD domain.

       

      Click on the image below for a trace reproduction.

       

      Any comments please do let me know.

       

      Thanks in advance.

       

       

      WebGateway.png

        • 1. Re: Authentication Box on IE from the same host by different AD users
          asabban

          Hi,

           

          this CAN be relatively simple. Implement "normal" authentication and configure the "guest" use in a way he can browse as desired. Now add a new rule that says something like

           

          URL.Destination.IP equals 10.10.10.10

           

          AND

           

          Authentication.Username equals "guest"

           

          then call action "Authenticate".

           

          Basically the user guest can browse around as he wishes. The browser will always send "guest" as the user name. As soon as you go to 10.10.10.10 while being "guest" MWG will no longer accepts this request and send a 407 response code to the browser, asking him to authenticate. Because the browser already sent credentials which are now no longer valid it will show a popup which allows you to enter different credentials.

           

          If you use a different user than "guest" you will be able to browse the URL. The browser will remind the new credentials and use them until you close the browser.

           

          Problem:

           

          - I was not able to find a way to use a web based form to catch new credentials. It only seems to work with the default browser popup window.

          - Once you "became" a different user all requests to other URLs will be done in the name of this new user, until you close the browser and login as guest again

          - If you forget to close the browser there is no "timeout", so if someone logs in and goes away without closing the browser someone else can come and continue accessing 10.10.10.10 without being prompted again

           

          Best,

          Andre

          • 2. Re: Authentication Box on IE from the same host by different AD users
            ser_caretower

            2013-05-16_13-03_Authentication TEST.gif

            Hi Andre, thanks for your reply.

             

            So far we have implemented the next rule set. Find it attached on GIF, rename to XML and import on a WebGateway 7.3.x

             

            Let me try your solution, keep you posted.

             

            Regards.

            • 3. Re: Authentication Box on IE from the same host by different AD users
              jont717

              Sounds to me like you need to build in authentication on the application server page.  10.10.10.10.

               

              That is the correct way to do this.  You do not want to rely on Authentication from the Web Gateway.

              • 4. Re: Authentication Box on IE from the same host by different AD users
                ser_caretower

                Thanks all we managed to engineer the double authentication ising the built in rules/

                 

                Regards