0 Replies Latest reply on Mar 7, 2014 10:37 AM by bornheim

    "Authentication required" popups

    bornheim

      Hi,

       

      my authentication scheme is roughly as follows:

       

      RS: Authenticate with Kerberos

                  Criteria: Authentication.IsAuthenticatedequals false

                  R: Authenticate with Kerberos

                              Criteria:Authentication.Authenticate <Kerberos> equals false

                                          Stop Rule Set

      RS: Authenticate with NTLM

                  Criteria: Authentication.IsAuthenticatedequals false

      R: Authenticate with NTLM

                              Criteria:Authentication.Authenticate <NTLM> equals false

                                          Stop Rule Set

      RS: Get User Groups and Data With LDAP

                  Criteria: Authentication.IsAuthenticatedequals true

      R: Save UserGroups fromKerberos/NTLM

                                         SetUser-Defined.UserGroups = Authentication.UserGroups

                              R: Get Real Name

                                         Set User-Defined.Realname= List.OfString.ToString(Authentication.GetUserGroups<LDAP_LOOKUP_REALNAME>,"")

                              R: RestoreUserGroups

                                         Set Authentication.UserGroups= User-Defined.UserGroups

      RS: Authenticate with User Database

                  Criteria: Authentication.IsAuthenticatedequals false

      R: Authenticate with User Database

                              Criteria:Authentication.Authenticate <User Database> equals false

                                          Stop Rule Set

      RS: Perform Authentication

                  Criteria: Authentication.IsAuthenticatedequals false

                              R: Prevent Browser fromtrying Negotiate with NTLM

                                         Criteria: Authentication.RawCredentialsmatches "Negotiate TlRM*"

                                                     Authentication.ClearMethodList

                                                     Authentication.AddMethod("NTLM","", true)

                              R: PerformAuthentication

                                         Authenticate<Default>

       

      This works pretty well most of the time. However, my users found at least on site where this doesn't work: http://www.wetter.com, they keep getting authentication requests after successfully requesting the site first, then waiting for a minute or so, with Firefox as well as with Internet Explorer.

       

      What I can see in Wireshark (tested with Firefox):

       

      1.) good case

                  Q: GET

                  A: 407, Proxy-Authenticate:Negotiate & NTLM

                  Q: GET, Proxy-Authorization NegotiateTlRM…

                  A: 407, Proxy-Authenticate: NTLM

                  Q: GET, Proxy-Authorization NTLM TlRM…

                  A: 407, Proxy-Authenticate: NTLM TlRM… (NTLMSSP_CHALLENGE)

                  Q: GET, Proxy-Authorization NTLM TlRM…

                  A: 200

       

      1.) bad case

                  Q: GET

                  A: 407, Proxy-Authenticate:Negotiate & NTLM

                  Q: GET, Proxy-Authorization NegotiateTlRM…

                  A: 407, Proxy-Authenticate: NTLM

                  Q: GET, Proxy-Authorization NTLM TlRM…

                  A: 407, Proxy-Authenticate: NTLM TlRM…

                  Q: GET, Proxy-Authorization NTLM TlRM…

                  A: 407, Proxy-Authenticate:Negotiate & NTLM *bang*

       

      Obviously Web Gateway seems not to like what Firefox offers for authentication. Except that was good enough some milleseconds before.

       

      Same behaviour when user is not logged into the domain (no SSO in this case) and manually supplies the credentials.

       

      Kind regards,

      Robert

       

      Edited by bornheim on 07.03.14 10:37:21 CST