Another NTLM Auth Issue

WinGate Proxy Server and other Qbik products

Switch to full style
Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Post a reply
jremey1
  • jremey1
  • Posts: 4
  • Joined: May 07 08 7:26 am

Another NTLM Auth Issue

May 07 08 7:35 am

I am currently evaluating WinGate solely for authenticating and logging internet web access. We are running WinGate on our test server, a Windows 2003 standard server (not a domain controller). Please let me state that I have browsed this forum and have already check the many other ntlm auth posts.

I have configured Windows authentication and can see all of our active directory users and groups in the list.

Under the web proxy service I have NTLM checked as the auth method, and configured its policy to allow everyone but force authentication, ignore system policy.

When I test with a web browser (in this case Internet Explorer 7) it pops up an authentication dialog. I try to login with my AD username and password, but it fails and I get the error screen.

Oddly enough, if I leave it alone and simply hit the enter key, it loads the page! The history log shows the web page I accessed under my username, but the system messages shows an authentication failure.

My question is - how the heck is this supposed to work? I was hoping for transparent auth, where windows automatically supplies the current logged in user credentials. This doesn't seem to work, and we are presented with a manual log in dialog, which fails login as well.

What are we doing wrong? Oh... I have not tried the goofy little client applet. We will be forcing proxy config via Windows 2003 group policy. No, we will not install the applet on every client.

Thanks,
Jon
logan
  • logan
  • Posts: 671
  • Joined: Oct 19 06 2:49 pm
  • Location: Auckland, New Zealand

May 07 08 11:09 pm

Have you changed the WinGate engine to login with a domain administrator account?

Is the WinGate computer a member of the active directory?

Is the DNS setting of the WinGate computers Internal network adaptor pointing to the ADDNS server?


It's good to hear that you won't be installing the WinGate Internet Client. I only recommend using this if you need application level control over client internet access. Otherwise, you will get better results using NAT and proxies.
jremey1
  • jremey1
  • Posts: 4
  • Joined: May 07 08 7:26 am

May 08 08 2:54 am

Yes to all of those questions. WinGate can get the user list from AD without issue. It seems like WinGate is trying to authenticate to the local server first, rather than the AD user accounts.

It is odd.
adrien
  • adrien
  • Posts: 5448
  • Joined: Sep 03 03 2:54 pm
  • Location: Auckland
  • Website

May 08 08 12:14 pm

Hi

WinGate uses the OS-provided SSPI interface for NTLM.

I'm pretty sure that depends then on things like what account the WinGate computer is running in, but also whether users specify a domain name when logging in.
jremey1
  • jremey1
  • Posts: 4
  • Joined: May 07 08 7:26 am

May 09 08 6:17 am

All workstation log in to the AD domain, which provides username, password, and domain.

What account should WinGate be running under?
jremey1
  • jremey1
  • Posts: 4
  • Joined: May 07 08 7:26 am

May 09 08 8:06 am

Well, I cannot spend any more time on this. We will have to look at other products.

Thanks for your assistance.
adrien
  • adrien
  • Posts: 5448
  • Joined: Sep 03 03 2:54 pm
  • Location: Auckland
  • Website

May 09 08 1:11 pm

WinGate needs to run under an account that has domain privileges for authentication.

Normally a domain admin account.

Adrien
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

phpBB Mobile / SEO by Artodia.

Board index