Active Directory - Nested Groups; Authentication occurance

[chaugi]

Dear supporters,

I have Wingate 6.22 installed on W3K R2 SP1. One internal and one external adapter.
Wingate is used for Proxy need only (specified in browser settings).

1. I have created 4 Active Directory groups: Internet Restricted, Internet Limited, Internet Extended, Internet Full.
- Restricted group has access only to some websites.
- Limited has access to most resources except banned one.
- Extended has almost no limit
- Full has full access
I want Domain Users to be members of Restricted and Limited groups. As Restricted has criterion based on IP address, so all Domain users except certain IPs will have Limited access, not restricted.
But practice shows that Wingate does not understand that certain user, which is member of Domain Users and which is member of Internet Limited group, should have rights to access internet. It seems that Wingate does not look recursively deeply into the group, only one level deep. Is it possible to fix somehow?!

2. We have set NTLM authentication and "User must be authenticated" in policy. Everything seems to work just fine.
The only thing is that:
- Users time to time change passwords
- Not always users switch off PCs or even log off for the night
- Some users have notebooks and do work offline, so log-on credentials are cached
I think this causes problems with authentication window popping up and asking for user name and password, whats is very inconvenient and annoying. Sometimes even restart does not help and you are forced to enter credentials each time you open Internet Explorer. Is is curable somehow?

[adrien]

Hi

WinGate 6 has some troubles with AD in enumeration of groups. This is due to the need to support win95 and upwards (inc NT4) which meant we couldn't use later APIs for active directory.

This means using group membership as a basis for policy with AD using global groups has problems with WinGate 6. Also WinGate 6 had some problems with certain combinations of policy if you used different levels of required auth level (i.e. if you mixed "user may be assumed" with "user must be authenticated"). It also had issues with underlying NTLM SSPI not being too selective about accounts. WinGate uses the SSPI (OS API for security) for authentication using NTLM. This API doesn't allow specification of which set of accounts to use (i.e. local system accounts vs domain accounts). Commonly certain accounts exist in both - e.g. Administrator account exists under the local system, but also in the domain. So it would sometimes occur that authenticating with an account would auth against the local account instead of the domain account.

WinGate 2008 has dropped support for 95, 98, ME and NT4, and has a completely new AD user database provider which solves all these issues (and more).

We are currently previewing WinGate 2008 to interested parties, if you'd like to participate, please let me know.

Regards

Adrien de Croy

[chaugi]

Yes I am interested in reviewing WinGate 2008.
When final version of Wingate 2008 is going to be released, approximately?

Thank you.

[vgaudin]

Yes if We got any date delay .. or preview running correclty ...
waiting for several month and really not a serious answer ...

actually nobody answer me ....

[brianza.diego]

I have the same problem and with QbikAuth.exe is already ok...but is not a solution! I want to use the ntlm authentication without problems....in this mode I don't want wingate...

I'm in contact with Achab (my reseller) to resolve this problem.

I if possible I think to try the news version, do you have a date?

Thanks.

p.s.: (with the NTLM authentication I have problem to send message by your forum...I must use proxyserver without authentication...)