NTLM authentication and guest users

WinGate Proxy Server and other Qbik products

Switch to full style
Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Post a reply
munrobasher

NTLM authentication and guest users

May 05 06 1:55 am

Still evaluating :-) We're currently running Wingate with no authentication requirements at all in our Citrix terminal server environment so everyone is showing up as guest. This has been running now for about a week without problems which is good news. Because everyone on terminal server is under the same guest account, we could probably just purchase the 12 concurrent user standard version :-)

The above in effect gives us very similar functionality that we're currently using with MS Proxy 2.

But we'd like to turn on authentication (for logging purposes) but don't want to use the Wingate client. So we can enable NTLM authentication against everyone and throw in a few multi-user IP addresses for the terminal servers.

But the problem is that this breaks some web applications like WebEx. Webex picks up the proxy server setting from IE (as do quite a few apps) but must not authenticate via NTLM in the same way as IE. The result is that these connections appear as guest and therefore WinGate refuses access.

What we need is someway of defining access so that if somebody happens to us NTLM then fine, they authenticate and we can see their activity. However, if not, then they authenticate as guest but they still have access.

Is this possible?

Thanks, Rob.
adrien
  • adrien
  • Posts: 5448
  • Joined: Sep 03 03 2:54 pm
  • Location: Auckland
  • Website

May 05 06 2:58 am

Hi Rob

because you can set authentication requirements per request, you can possibly circumvent the problem with webex by adding a policy to the web proxy that allows unauthenticated access to the site(s) that webex goes to.

I'm picking these sites wouldn't need to be restricted to other users?

Then webex wouldn't need to auth.

Most apps that use the IE connection settings do so because they are using the WinInet / WinHTTP subsystem. This should be handling the authentication as well. Have you tried setting the IE settings to automatically use the currently logged in credentials?

Under Internet Properties -> Security -> Custom Level ->User authentication

Adrien
munrobasher

May 05 06 4:20 am

Have you tried setting the IE settings to automatically use the currently logged in credentials?


The current IE setting is "Automatic logon only in the Intranet zone". This is the default medium level. I'll try changing it to "Automatic login with current username and password" tomorrow.

Cheers, Rob.
adrien
  • adrien
  • Posts: 5448
  • Joined: Sep 03 03 2:54 pm
  • Location: Auckland
  • Website

May 05 06 11:33 am

another option rather than trying to enable all the sites webex may want to go to is if it uses a different browser type tag, you could use that in the policy instead to grant that browser unrestricted access.

You may need to do a packet capture or something to find out what the User-Agent tag is though.

Adrien
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

phpBB Mobile / SEO by Artodia.

Board index