Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
692 Views 4 Replies Latest reply: Jun 28, 2013 3:48 AM by ser_caretower RSS
ser_caretower Newcomer 19 posts since
Feb 11, 2013
Currently Being Moderated

May 16, 2013 6:05 AM

Authentication Box on IE from the same host by different AD users

Hi all,

 

We are trying to implement the next config in our library:

 

Basically we have a group of users and groups defined on AD Server. 

We have 1 machine which is always loggued as Guest1. The machine Guest1 is DHCP dinamically assigned so no chances to toy with the IP address config

From the session Guest1 we have 3 different users that browse internet ( google, yahoo, etc) and an internal application server.

 

We are looking for an authentication dialog box everytime Guest1 go to 10.10.10.10 which is the application server.

Then credentials will be prompted so Doctor1, Doctor2 or Consultant1 can login into the application.

When Internet Explore closes and launches again, when going to 10.10.10.10 has to request new credentials, as the user behind that session could be Doctor2, or Consultant.

 

You can have a look on the picture attached where a use case is shown.

 

The users Doctor1, Doctor2, Consultant and Guest are users of the AD domain.

 

Click on the image below for a trace reproduction.

 

Any comments please do let me know.

 

Thanks in advance.

 

 

WebGateway.png

  • asabban McAfee SME 1,351 posts since
    Nov 3, 2009

    Hi,

     

    this CAN be relatively simple. Implement "normal" authentication and configure the "guest" use in a way he can browse as desired. Now add a new rule that says something like

     

    URL.Destination.IP equals 10.10.10.10

     

    AND

     

    Authentication.Username equals "guest"

     

    then call action "Authenticate".

     

    Basically the user guest can browse around as he wishes. The browser will always send "guest" as the user name. As soon as you go to 10.10.10.10 while being "guest" MWG will no longer accepts this request and send a 407 response code to the browser, asking him to authenticate. Because the browser already sent credentials which are now no longer valid it will show a popup which allows you to enter different credentials.

     

    If you use a different user than "guest" you will be able to browse the URL. The browser will remind the new credentials and use them until you close the browser.

     

    Problem:

     

    - I was not able to find a way to use a web based form to catch new credentials. It only seems to work with the default browser popup window.

    - Once you "became" a different user all requests to other URLs will be done in the name of this new user, until you close the browser and login as guest again

    - If you forget to close the browser there is no "timeout", so if someone logs in and goes away without closing the browser someone else can come and continue accessing 10.10.10.10 without being prompted again

     

    Best,

    Andre

  • jont717 Champion 291 posts since
    Jan 4, 2011

    Sounds to me like you need to build in authentication on the application server page.  10.10.10.10.

     

    That is the correct way to do this.  You do not want to rely on Authentication from the Web Gateway.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points