WinGate Forums

[ITB]

Since a couple of months we are using Skype and have some problem authenticating users.
We are using Wingate v.6.03 and Skype v. 1.2.0.48.
Some pc's/users are authenticated perfectly and some pc are not.

The users that are authenticated correctly are seen as followed in Wingate:
PC1[user1] - (user1 - Authenticated [NTLM])
-- WRP Control Session - Skype.exe
-- TCPLink : 192.168.X.X:1143 <-> host-81-190-132-152.olsztyn.mm.pl.:30690

The users that are NOT authenticated correctly by starting skype are seen as Guest and I have to assume them to let them connect correctly.
These users are seen as followed in Wingate:
192.168.X.X - (user2 - Assumed [Assumed])
--SSL://81.99.196.92:443

Strange thing is that if I don't assume this user and the user starts Internet Explorer he is authenticated correctly. If he starts Skype it works good.
So I think that there is something wrong with the authentication method for Skype.

It doesn't matter if I put Skype.exe in the System Applications folder in the Wingate Client.

Some help or ideas would be appreciated... ;)

[Pascal]

From what you have shown there it looks as if the one user is using WGIC and the other not. Have a look at the configuration of WGIC on those user's PCs to ensure that it is active, etc.

[ITB]

From what you have shown there it looks as if the one user is using WGIC and the other not. Have a look at the configuration of WGIC on those user's PCs to ensure that it is active, etc.

Nope, that's not it... unfortunately ;).
- WGIC is enabled
- firewalls are disabled on clients (XP Pro)
- adding skype.exe to System Applications (WGIC) doesn't make a difference

more ideas ?

[Pascal]

PC1[user1] - (user1 - Authenticated [NTLM])
-- WRP Control Session - Skype.exe
-- TCPLink : 192.168.X.X:1143 <-> host-81-190-132-152.olsztyn.mm.pl.:30690

192.168.X.X - (user2 - Assumed [Assumed])
--SSL://81.99.196.92:443

What is different between the two setups then? The second one is not showing a WRP Session - which would indicate that WGIC is not loading or in use. If you launch IE, does it show a WRP session?

One thing to check, please - if you right click on the sessions showing for the PC that does not work, a menu will drop down. That will have an entry that should show something like: "Properties of WRP Service" or something similar. If that is showing WRP Service then the SSL:// is coming from the dataspy, which lets us show the appropriate traffic type. If that is the case, it might simply be the way you have Skype configured on the second PCs (Using secure vs not using secure?)

[ITB]

I don't know what you mean, BUT I found something makes a difference.
In WGIC on the General Tab, I enabled "Launch the Wingate Dialup Monitor on startup" and "Hide the Wingate Dialup Monitor window".
When I DON'T add skype.exe to the System Applications and I start Skype, the user is logged in immediatly.
When I DO add skype to the System Applications and I start Skype, the user has to wait about 20 seconds before he is logged in.

In both situations, when the user is connected I see him at the server as:
PC2[user2]
-- WRP Control Session - Skype.exe
-- TCPLink : 192.168.X.X:1143 <-> host-81-190-132-152.olsztyn.mm.pl.:30690

Now it's working but Skype isn't authenticated with NTLM...
When the user starts Internet Explorer he suddenly his session changes to this:
PC2[user2] - (user2 - Authenticated [NTLM])
-- WRP Control Session - iexplore.exe
-- WRP Control Session - Skype.exe
-- TCPLink : 192.168.X.X:1143 <-> host-81-190-132-152.olsztyn.mm.pl.:30690
-- http://site address
So the user can be authenticated correctly now. That didn't work before too :).

Any ideas how to correct authenticate the user with Skype ?

[Pascal]

I suspect that might just be a UI bug, rather than an actual problem. Let's just confirm that policies are setup correctly.

Do you have a policy set for WRP (Either directly or through System Policies) to require authentication? If so, then the authentication "state" is sufficient. (It might simply not be showing "NTLM", while the webproxy will) As you are using the OS Userdatabase it will be authenticated via NTLM (Might just not be displaying it).

Will check if the UI is ok.

[ITB]

I suspect that might just be a UI bug, rather than an actual problem. Let's just confirm that policies are setup correctly.

Do you have a policy set for WRP (Either directly or through System Policies) to require authentication? If so, then the authentication "state" is sufficient. (It might simply not be showing "NTLM", while the webproxy will) As you are using the OS Userdatabase it will be authenticated via NTLM (Might just not be displaying it).

Will check if the UI is ok.

Sorry for not posting in 2 days, I was working in another Office :).

The problem is getting weirder:
Settings that I've done, discribed in the post from May 30 05 10:36 pm, aren't working anymore since June 1th while nothing has changed. The only thing that happened is that users have shutdown and start up the next day. Nothing changed on server side.

The users that WERE authenticated correctly are seen as followed in Wingate:
PC1[user1]
-- WRP Control Session - Skype.exe
-- TCPLink : 192.168.X.X:1143 <-> host-81-190-132-152.olsztyn.mm.pl.:30690
When Internet explorer is loaded the user changes to:
PC1[user1] - (user1 - Authenticated [NTLM])

Users that weren't correctly authenticated are back to the beginning.
The have to be assumed to use Skype.

Reaction to your post:
I don't exactly know what you mean by WRP, but I will discribe our policy.
Active Directory has a group called Internet, which has users in it that are authorized by us to use the Internet.
In wingate:
Winsock Redirector Serice: No rights defined to a specified group. Default rights might be used instead.
GDP service :same as Winsock
WWW Proxy Server:
- General tab: NTLM, Level:strong,Database: Windows (NT) Only
- Policies tab: Recipient Internet (Group from Active Directory) -> User may be assumed. Default Rights (System Policies) are ignored.

Hope you see something interesting...

[ITB]

Added Skype.exe in WGIC to System Applications with Mixed Access and now it is working as before.
Clients get connected with Skype but aren't authenticated with NTLM until they start Internet Explorer.