WinGate Forums

[daniel.medina]

Hello,

I have some problems on wingate authentication.

Scenario:
- Windows 2000 Server, Wingate 6.0.3.1005
- WWW Proxy Service on port 85, NTLM & Basic Auth both enabled
- IE w/sec.settings "prompt for username and password"
- Use Windows Database
- System Policies on everyone unrestricted rights
- WWW Proxy Service Policies: USER1 unrestricted rights
- WWW Proxy Service Policies: Default policies are ignored
- Logged into machine as USER2.

I'm trying to get the username and password prompt in the IE for the OS logged USER2 can enter with the username USER1 and his password, but the username/password prompt never is displayed in IE. It's always showing the message Access Denied - File not found or access denied even in NTLM, Basic, or both enabled.. in user must be authenticated or user is unknow. In user is assumed (and only basic auth is enabled) the pop-up username and password prompt appears, but it doesn't accept the USER1 user and pass.

This happen because I'm writing a system that requires proxy authentication and the user must be different from the user currently logged.

What can I do to solve this problem?

Thanks

Daniel

[Pascal]

- System Policies on everyone unrestricted rights
- WWW Proxy Service Policies: USER1 unrestricted rights
- WWW Proxy Service Policies: Default policies are ignored
- Logged into machine as USER2.

Have you set any other policies in the WWW Proxy Service? (Ban list / time / advanced criteria / etc.)

[daniel.medina]

Have you set any other policies in the WWW Proxy Service? (Ban list / time / advanced criteria / etc.)

No, no other policies in www proxy service neither in system policies. Default wingate install. Always I get the error 403, no username and pass prompt.

Daniel

[Pascal]

The policies all seem right. What will happen on the first pass is WinGate will check to see if there is any policy that can grant access. If it needs to raise the authentication level to do that - it will request that. (Try to auth). What I suspect is happening is that your client is already authenticated. Either automatically by the browser OR by virtue of being logged in by GateKeeper (To watch activity?) or from another session that is still active. (And has thus not release it's authentication).

A few suggestions then:

1. Run a network sniffer to see what traffic is going between the website and the client PC. This will give you an idea if it's automatically trying to authenticate already.

2. I have seen strange behavior with IE when doing something like this (It likes to do things automatically for you). Generally, using another browser can tell you if it's setup related / browser related.

[daniel.medina]

The policies all seem right. What will happen on the first pass is WinGate will check to see if there is any policy that can grant access. If it needs to raise the authentication level to do that - it will request that. (Try to auth). What I suspect is happening is that your client is already authenticated. Either automatically by the browser OR by virtue of being logged in by GateKeeper (To watch activity?) or from another session that is still active. (And has thus not release it's authentication).

A few suggestions then:

1. Run a network sniffer to see what traffic is going between the website and the client PC. This will give you an idea if it's automatically trying to authenticate already.

2. I have seen strange behavior with IE when doing something like this (It likes to do things automatically for you). Generally, using another browser can tell you if it's setup related / browser related.

OK, now I've tested it with gatekeeper closed (I stop and start the wingate server before) and in the mozilla firefox browser. The same thing happens :-(. The issue is in the wingate itself, because I've tested in 2 components, 1 in VB and other in Delphi and I still get 403/Access Denied, even forcing a valid username ans password with rights in the WWW Proxy Service.

Where I obtain and how can I run a network sniffer to see the traffic between the website and my computer? Is there anything else that I can do?

Thanks

[Pascal]

Can you email me your registry configuration, please? That is HKEY_LOCAL_MACHINE\Software\Qbik Software\WinGate. However, you can also export that using Options -> Advanced in GateKeeper.

Commview is one network sniffer, there's quite a few around.

[daniel.medina]

Can you email me your registry configuration, please? That is HKEY_LOCAL_MACHINE\Software\Qbik Software\WinGate. However, you can also export that using Options -> Advanced in GateKeeper.

Commview is one network sniffer, there's quite a few around.

I sent you the registry branch as daniel.medina@luministar......br ... for pascal@qbik.....

Thanks for helping me.. but if you can indicate a proxy server that accept this kind of authentication? (an OS logged user with user and pass from other user) I will apreciate for developing my system. Thank you very much,

Daniel

[Pascal]

WinGate should do that, just got your config - I am about to test it.

[daniel.medina]

WinGate should do that, just got your config - I am about to test it.

Ok.. We are using wingate for about 3 years and it's a excelent product, so we will wait for the solution.

Thanks

Daniel

[Pascal]

The only strange thing about that. The user is ftp_....na ? That user is set to "User may be unknown".

What that essentially means though is WinGate will never request / require Authentication. Try bumping it up to "User must be authenticated" when you want to test authentication with NTLM. When you want to test with Basic you need to drop it to "User may be assumed"

[daniel.medina]

The only strange thing about that. The user is ftp_....na ? That user is set to "User may be unknown".

What that essentially means though is WinGate will never request / require Authentication. Try bumping it up to "User must be authenticated" when you want to test authentication with NTLM. When you want to test with Basic you need to drop it to "User may be assumed"

I've already tried the 3 options, but the same problem happens.

Daniel

[Pascal]

Looking through this in a debugger - I can see WinGate send the authentication challenge back to the browser. The browser responds, but even though I have it set to "Prompt for username and password" it keeps on authenticating with the currently logged in credentials.

So, the authentication process goes through all the correct steps, but it authenticates the logged in user from the browser side - it refuses to prompt. That's not a WinGate problem; but I don't know what workaround to suggest for you. Will have more of a dig through this to see why the browser does not prompt even though it's configured to do so. (Old versions of Firefox do, the official release does not)