Still evaluating :-) We're currently running Wingate with no authentication requirements at all in our Citrix terminal server environment so everyone is showing up as guest. This has been running now for about a week without problems which is good news. Because everyone on terminal server is under the same guest account, we could probably just purchase the 12 concurrent user standard version :-)
The above in effect gives us very similar functionality that we're currently using with MS Proxy 2.
But we'd like to turn on authentication (for logging purposes) but don't want to use the Wingate client. So we can enable NTLM authentication against everyone and throw in a few multi-user IP addresses for the terminal servers.
But the problem is that this breaks some web applications like WebEx. Webex picks up the proxy server setting from IE (as do quite a few apps) but must not authenticate via NTLM in the same way as IE. The result is that these connections appear as guest and therefore WinGate refuses access.
What we need is someway of defining access so that if somebody happens to us NTLM then fine, they authenticate and we can see their activity. However, if not, then they authenticate as guest but they still have access.
Is this possible?
Thanks, Rob.
NTLM authentication and guest users
Moderator: Qbik Staff
4 posts
• Page 1 of 1
NTLM authentication and guest users
by munrobasher » May 05 06 1:55 am
- munrobasher
- Posts: 67
- Joined: Apr 22 06 4:20 am
by adrien » May 05 06 2:58 am
Hi Rob
because you can set authentication requirements per request, you can possibly circumvent the problem with webex by adding a policy to the web proxy that allows unauthenticated access to the site(s) that webex goes to.
I'm picking these sites wouldn't need to be restricted to other users?
Then webex wouldn't need to auth.
Most apps that use the IE connection settings do so because they are using the WinInet / WinHTTP subsystem. This should be handling the authentication as well. Have you tried setting the IE settings to automatically use the currently logged in credentials?
Under Internet Properties -> Security -> Custom Level ->User authentication
Adrien
because you can set authentication requirements per request, you can possibly circumvent the problem with webex by adding a policy to the web proxy that allows unauthenticated access to the site(s) that webex goes to.
I'm picking these sites wouldn't need to be restricted to other users?
Then webex wouldn't need to auth.
Most apps that use the IE connection settings do so because they are using the WinInet / WinHTTP subsystem. This should be handling the authentication as well. Have you tried setting the IE settings to automatically use the currently logged in credentials?
Under Internet Properties -> Security -> Custom Level ->User authentication
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by munrobasher » May 05 06 4:20 am
Have you tried setting the IE settings to automatically use the currently logged in credentials?
The current IE setting is "Automatic logon only in the Intranet zone". This is the default medium level. I'll try changing it to "Automatic login with current username and password" tomorrow.
Cheers, Rob.
- munrobasher
- Posts: 67
- Joined: Apr 22 06 4:20 am
by adrien » May 05 06 11:33 am
another option rather than trying to enable all the sites webex may want to go to is if it uses a different browser type tag, you could use that in the policy instead to grant that browser unrestricted access.
You may need to do a packet capture or something to find out what the User-Agent tag is though.
Adrien
You may need to do a packet capture or something to find out what the User-Agent tag is though.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 9 guests