PowerShell and Wingate

[garth]

I'm trying to use either of these PowerShell code to test wingate and proxy. No matter what I do I always get 407 error. I'm fairly sure it is simple matter. Do you have any sample PowerShell code to access a web site?

Code:

$baseuri = "http://www.myitforum.com/"
$username = "ad\Wir"
$password = "password"

#server will respond with 401 on first attempt, then Powershell will add the credentials and retry 
$uri = New-Object System.Uri ($baseuri+"basic-auth/" + $username + "/" + $password) 
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force 
$mycreds = New-Object System.Management.Automation.PSCredential ($username, $secpasswd) 
$r = Invoke-WebRequest -Uri $uri.AbsoluteUri -Credential $mycreds 
$r.Content

Code:

$baseuri = "http://www.myitforum.com/"
$username = "ad\Wir"
$password = "password"

#preemtive authentication 
$uri = New-Object System.Uri ($baseuri+"basic-auth/" + $username + "/" + $password) 
$encoded =  [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($username+":"+$password )) 
$headers = @{Authorization = "Basic "+$encoded} 

[adrien]

407 is an auth challenge from the proxy. So you either need to not require auth for that request at the proxy, or handle auth in your script.

Regards

Adrien de Croy

[garth]

407 is an auth challenge from the proxy. So you either need to not require auth for that request at the proxy, or handle auth in your script.

I know what 407 means, what I trying to prove is that Wingate is working correctly.

So do you have any example of how access a page via powershell that user proxy authentication?

[adrien]

Sorry - I missed what you were trying to do.

If you're building a request using Basic auth, make sure Basic is permitted in the WWW proxy, also make sure it's a Proxy-Authorization header rather than Authorization.

Regards

Adrien

[garth]

Sorry - I missed what you were trying to do.

If you're building a request using Basic auth, make sure Basic is permitted in the WWW proxy, also make sure it's a Proxy-Authorization header rather than Authorization.

Again I trying to prove that Wingate is working correctly. Do you have any VBS, PowerShell or C# code that will prove that Wingate is working correctly when Certs are passed to it?

[adrien]

Hi

so you're trying to test client cert based auth? You didn't mention certs before now, and I had to analyse your scripts to see you were trying to do Basic auth.

We don't have any scripts for this, haven't been asked for such things before.

For cert-based auth, you shouldn't put authorization headers in (such as auth Basic), just use a client cert that the WinGate server will trust, where the UPN in the certificate matches the user principal name on an account. The UPN (user principal name) is stored in Subject Alternative Name field in the certificate, with OID of szOID_NT_PRINCIPAL_NAME, ("1.3.6.1.4.1.311.20.2.3").

If you tried using a cert without this extension, the AD user database should have logged a warning, so check your logs.

It will also fail auth if the cert is revoked, the cert failed validation (isn't trusted somehow, or fails in some other way - e.g. expires). These are all logged

You can use a cert to auth against a user or computer account, only with the AD user database provider.

As for getting a script to use a client cert, sorry I have no idea. Dr Google should have a few ideas though

maybe http://stackoverflow.com/questions/12782371/powershell-https-get-using-client-certificate-from-certsore

Regards

Adrien

[garth]

Hi

so you're trying to test client cert based auth? You didn't mention certs before now, and I had to analyse your scripts to see you were trying to do Basic auth.

We don't have any scripts for this, haven't been asked for such things before.

For cert-based auth, you shouldn't put authorization headers in (such as auth Basic), just use a client cert that the WinGate server will trust, where the UPN in the certificate matches the user principal name on an account. The UPN (user principal name) is stored in Subject Alternative Name field in the certificate, with OID of szOID_NT_PRINCIPAL_NAME, ("1.3.6.1.4.1.311.20.2.3").

If you tried using a cert without this extension, the AD user database should have logged a warning, so check your logs.

It will also fail auth if the cert is revoked, the cert failed validation (isn't trusted somehow, or fails in some other way - e.g. expires). These are all logged

You can use a cert to auth against a user or computer account, only with the AD user database provider.

As for getting a script to use a client cert, sorry I have no idea. Dr Google should have a few ideas though

maybe http://stackoverflow.com/questions/12782371/powershell-https-get-using-client-certificate-from-certsore

No I'm not trying to use certs at all, I have used Professor BING has pointed to a number of PowerShell script that should work. I have posted two of them above. I have every gone as far as contacting a PowerShell MVP and he agree that all the PowerShell scripts should work and have worked for him in other environments but none of the environments are Wingate. Hence, why I’m asking for a script (PowerShell, VBS, or c#) that you have tested and know to work, in order to allow me to prove that Wingate is setup correctly.

Again, all I'm trying to prove is that Wingate is setup correctly. We have grant a user account used by the application and scripts full proxy access to the Internet. But it is getting a 407 error.

However when I logon as that user and using IE it tells me that it can access the internet.

Now here is the problem. While still logon as “User account”
Using the exact same setting, and while ”watching” the activity monitor, I can see that the application or either code snip-it above will fail to connect to the internet with “unknown user” but for whatever reason WinGate will fail back to the locally logon user and then allow the connection. This tell me that it is using the locally logon user instead of the proxy user account define. Why it is failing back, I have no idea as the code snippet above clearly only tries once to access the internet.

Additionally I want to ensure that both HTTP and HTTPS traffic is filter through the proxy server, from what I can tell this has been setup correctly.

As an aside I have ever try to determine if there is professional service for Wingate and I have looked at the partner in Canada and a few in the US. None seem to provide this type of service.

[adrien]

Hi

sorry I thought you wanted to do Cert based auth, since you wrote this - I guess it was a typo?

Do you have any VBS, PowerShell or C# code that will prove that Wingate is working correctly when Certs are passed to it?

OK, so for Basic auth to a proxy as I said before, the auth header is not "Authorization", it is "Proxy-Authorization". Did you try using this header instead?

Regards

Adrien

[adrien]

p.s. if it's not working for a browser, that means there's probably a proxy config issue which would probably also prevent the script working.

We can get someone to remote into your server and help if you like

Regards

Adrien