We are trying to implement the next config in our library:
Basically we have a group of users and groups defined on AD Server.
We have 1 machine which is always loggued as Guest1. The machine Guest1 is DHCP dinamically assigned so no chances to toy with the IP address config
From the session Guest1 we have 3 different users that browse internet ( google, yahoo, etc) and an internal application server.
We are looking for an authentication dialog box everytime Guest1 go to 10.10.10.10 which is the application server.
Then credentials will be prompted so Doctor1, Doctor2 or Consultant1 can login into the application.
When Internet Explore closes and launches again, when going to 10.10.10.10 has to request new credentials, as the user behind that session could be Doctor2, or Consultant.
You can have a look on the picture attached where a use case is shown.
The users Doctor1, Doctor2, Consultant and Guest are users of the AD domain.
Click on the image below for a trace reproduction.
Any comments please do let me know.
Thanks in advance.
this CAN be relatively simple. Implement "normal" authentication and configure the "guest" use in a way he can browse as desired. Now add a new rule that says something like
URL.Destination.IP equals 10.10.10.10
Authentication.Username equals "guest"
then call action "Authenticate".
Basically the user guest can browse around as he wishes. The browser will always send "guest" as the user name. As soon as you go to 10.10.10.10 while being "guest" MWG will no longer accepts this request and send a 407 response code to the browser, asking him to authenticate. Because the browser already sent credentials which are now no longer valid it will show a popup which allows you to enter different credentials.
If you use a different user than "guest" you will be able to browse the URL. The browser will remind the new credentials and use them until you close the browser.
- I was not able to find a way to use a web based form to catch new credentials. It only seems to work with the default browser popup window.
- Once you "became" a different user all requests to other URLs will be done in the name of this new user, until you close the browser and login as guest again
- If you forget to close the browser there is no "timeout", so if someone logs in and goes away without closing the browser someone else can come and continue accessing 10.10.10.10 without being prompted again
Sounds to me like you need to build in authentication on the application server page. 10.10.10.10.
That is the correct way to do this. You do not want to rely on Authentication from the Web Gateway.
Thanks all we managed to engineer the double authentication ising the built in rules/