ntlm authentication

[inthesands]

I want to use NTLM authentication.
I want to FORCE all internal users to have to authenticate at the firewall.

I can't seem to get this to work.
If I have a user in the Wingate database, with the same name that I have used to logon to the NT network, I can go straight out to the Internet. If I don't have this same name in Wingate, I get a nice popup window, asking for username and password. This is what I want. But I also want to have the NT network users in the Wingate, i.e not have different names,

Is thsi possible, or am I doing something wrong?

[Pascal]

First, what version of WinGate are you using? Then, what user database option do you have selected?

[inthesands]

wingate 6.0.1 build 995

Database options, I am using "Use the Operating System (Windows) user data base.

I have also tried using remote database, but then all users are automatically authenticated, which I don't want.

[Pascal]

Are you using IE as your web browser? If so, go to options, switch to the "Security Pane". Go into the custom settings for the Internet zone and scroll down to the bottom. There are four choices for user authentication there:

1. Anonymous logon
2. Automatic logon only in Intranet zone
3. Automatic logon with current username and password
4. Prompt for user name and password

You can change the settings there to force IE to prompt every time. (Otherwise, it might be automatically logging you in)

Then, what method are you using to get the clients to connect out through WinGate? Are you using the WinGate Internet Client, or NAT with Intercepts, or straight proxy connections?

[inthesands]

I am using IE.
I had already selected "Prompt for user name and password", but it still just let me out.
At the moment, I am connected via straight proxy in IE.

I am not using WinGate Internet Client, or NAT with Intercepts.

The only way I seem to get a authentication window is to NOT have the user name that I logon to the NT network, on the Wingate server users.

[Pascal]

I'm going to setup this case in the testlab. What does it say in GateKeeper though, does the user show up as "Authenticated: NTLM" ?

[inthesands]

Yes, it says user is NTLM authenticated.

[Pascal]

Which means that the client provided credentials to WinGate (And did not prompt you) which WinGate used to authenticate the client with your user database. That sounds correct - not sure why the client refuses to prompt though.

[Pascal]

IE will automatically try your currently logged in user on your computer. We get the same behavior. If the user does not exist, WinGate will pass those credentials to the OS, in an attempt to authenticate and then synchronise the user. (After which, the process should all happen automatically)

This all sounds exactly like the way it works. The QA guys suggested that if you need a popup you should use either HTTP Basic OR the Java Client. Alternatively, you can use GateKeeper as a remote authentication tool.

It's possible that another web-browser might give better behavior, but WinGate is only reacting to what the browser has provided to it.

[inthesands]

How do I use HTTP autehtication?

If I use Java, doesn't this mean I would than have to have a seperate user database on Wingate? That would be a pain to have to duplicate the NT users.

[Pascal]

Java does mean a separate user database, yes. Is this a case of:

User logs in to NT.
User browses the net, needs to auth.
User leaves computer logged in.
Other user comes around and wants to browse the net, needs to auth.

Just trying to work out which way will work best to achieve what you want.

[inthesands]

Yes, that is what I would like to achieve.

Basically I want to be able to control who can, or cannot, connect to the Internet.

[Pascal]

It seems to be IE that suffers from this. I use FireFox as a browser, and when I point that through a WinGate installation that requires NTLM authentication it prompts me with every new browser session. (So, if I keep the browser running, it remembers my authentication, but as soon as I close it I need to re-auth when I browse again)

[Pascal]

Could you use the OS as your first level of defence? If you have password protected screensavers, etc. your actual OS on the client machines can be the method to auth the users on the computer.

Thereafter, the fact that IE prompts or does not prompt does not matter, because the logged in user on the computer will either be allowed or not allowed access, as you have specified in your policies?

I'll do a quick search on Microsoft's website, to see if they have any information on this.

[inthesands]

Don't really want to use the OS as the first line of defence, as I have multiple people looging on to the same machine. I can get this to work with a opposition program, but I have been a Wingate user for years, and am happy with the program.

Plus I want to be able to look at my TS users, which ver 6 will allow me to do.

I also have 2 remote user connect via a private WAN, that I want to restrict. By authenticating, I can at least make them aware that their Internet activity is being monitored.

Firefox, where can I download to try.

[Pascal]

Yeah, hear what you're saying. On Microsoft's site, I can find a lot of information on making the popup go away, but they don't seem to want it to appear.

You can get Firefox from http://texturizer.net/firefox/download.html. Note though, this is still a beta product, etc. so try it first on one machine.

There must be a way to get IE to do what you want it to do, so don't be too hasty in changing to Firefox, etc. One of the MVP's on the site might be able to give some help here.

[inthesands]

So nobody else has this problem/way they want to work?

[Pascal]

Using basic authentication prompts all the time and uses the credentials from the NT userdatabase. However, this is not as secure as NTLM (Strong for NTLM, weak for Basic) and because it only treats an user as 'assumed' it means that after the last session is closed there is a small window (10 to 30 seconds, I believe) before the assumed status is released for that machine. (From a WinGate perspective).

If somebody restarts IE in that Window, they will be re-authenticated without having to login.

[inthesands]

How do I do HTTP basic?

[inthesands]

But if I click off the NTLM and choose Basic, I just get Athentication errors.
I don't get the popup asking to authenticate.

[Pascal]

Because it is "Assumed", so you have to drop the requirement for your users to assumed. However, I believe I have found the answer to IE.

http://support.microsoft.com/default.aspx?scid=kb;en-us;321942.

If you change the explorer (Windows Explorer) to "Launch Each Folder in a separate process" then it pops up and prompts every time.

[inthesands]

How do I get Wingate to drop the requirement for users to be assumed?

[Pascal]

Sorry, bad language from my part - should have been "Authenticated". In the policy, you specify: "Must be authenticated". That should be dropped to "May be assumed".

However, the "Open Each Folder" trick should work with NTLM authentication.

[inthesands]

firstly where for the "should have been "Authenticated". In the policy, you specify: "Must be authenticated". i.e in the WWW Proxy Server properties?


The " "Open Each Folder" trick should work with NTLM authentication." didn't do a thing. Still straight through from my XP (SP1) IE ver 6 to my Wingate proxy.

[Pascal]

Yes, in the policy where you specify "Must be authenticated" that should be changed to "May be assumed".

We were using IE 5.0 on Windows 2000. I'll see if I can find a free IE6 + XP client here.

[inthesands]

Ok,
got it.
Now I CAN get the popup window to authenticate, ONLY if I select basic authentication (not NTLM), and now that I select the "User may be assumed", that part works. I had always had the "User must be authenticated".

So now, I assume I can't use NTLM to authenticate, and still get the popup?

[Pascal]

Seems with older versions of IE / the OS you can. I'm trying to find out if there is a way to do it with IE6 / XP. (Possibly a local security policy / something similar)

Do you run an active directory environment?

[inthesands]

Yes I'm running and AD enviroment, with DNS and and microsoft DHCP.

ALso that link you gave above from the microsoft site, has no effect. If I only use basic authentication, I can get to work, but as soon as I use NTLM authentication, users get logged on automatically. In the short term, I can use basic authentication, (which also works for my Macintoshes as well, GREAT), but long term want the NTLM to work, as a popup authentication.

What really caused some confusion, was having to set the WWW proxy policy to "user may be assumed", rather than "user must be authenticated"

Not sure I understand why/how that works. But having the WWW proxy policy set to "User may be assumed", allows me to get the popup authentication window.

Now, what happens if/when I use NAT?

[Pascal]

Look at the three different levels of user security.

1. Authenticated = Strong Authentication (NTLM, Java or through WGIC/GK)
2. Assumed = Weak Authentication (User assumption or basic auth)
3. None = No Authentication

There are more authentication methods used for mail, etc. Hence, if you want to use HTTP Basic auth, your user security can only reach up to "assumed" / "weak" level. It cannot get to authenticated. So, when your policy specifies that the user must be authenticated, they cannot get there.

I've narrowed the fix suggested down. With Win2K and IE6, IE5.x it works. With XP and IE6 it does not work. So, guess it's something to do with XP, but have no idea what.

If you now switch to NAT, it becomes easy as well. This is where Intercepts become your new best friend. On the WWW Proxy Server settings, you can switch to the "Sessions" page. There, enable "Intercepts" and specify the ports you want to be intercepted. Port 80 should be intercepted by default.

What this now means is that if your client computer is sending any traffic through the WinGate Server destined for port 80, that will be intercepted at driver level and sent through the proxy that was listening on port 80. This gives you all the benefits of using a proxy, without losing the ease of configuration of a NAT solution.

[inthesands]

Ok,
understand
now originally I set up my proxy to port 3128.
How will this affect if I use NAT?


another question, a little off topic.
I want to set up a PPTP from outside to inside. Is there a way I can make the "hole" through the firewall, authentcate, before it passes the request onto the internal mapped server?