WinGate Forums

[PeterG]

Hi,

i use WG7 with Windows User Connector as a proxyserver, without NAT an without DHCP (these two services will be done by the Router).

There i have created a Credential rule, which should assume requests from an client to a user.
But this doesn't work (i tried it by Computername, IP and MAC).
On a request the Activity shows the Computer with '( unknown )' and the browser asks for Authentication.

Do i need a special policy to handle this?

Regards,
Peter

[adrien]

Hi

the browser asking for authentication means you have a policy requesting it.

When a user is assumed in WinGate, we don't add the SID for "authenticated users", so if your policy checks user against "authenticated users" it will still not match. It will match however on users and groups, so you can still do group and user-level policy.

As for showing unknown, this should not happen, there should be only 2 checkboxes checked for an assumption rule - the rule enabled, and assume user to be ones. We've not had any issues matching on IP. for matching on computername, WinGate needs to know the computername (it gets this if it's the DHCP server). For MAC address, the address needs to be space-separated, e.g. xx xx xx xx xx xx.

Adrien

[PeterG]

Hi Adrien,

thanks, this fixed it.
It woukld be helpfull, (and it would have saved me a lot of time) if the helpfile and/or the policy examples will show this behavior.
Is there a property like 'IsAssumed', to test, if the user is assumed? I can't find one.

Credential rules works only, if i specify the IP address. MAC does not work.
WG shows the computername in the Activity, so WG knows it. So i don't understand, why it can't be used for credential rules.

Thanks,
Peter

[adrien]

Hi

Due to the way we check membership etc, basically the only way to tell if a user is assumed is that the SID for authenticated users is not on their user token, and they aren't unknown.

It's not a very good way to tell I admit.

When we considered this before, we couldn't think of any reason why people need to know if a user was assumed.... obviously you have a use-case, maybe there's another way to do what you need?

Adrien

[PeterG]

I use it, to allow assumed users only a list of specified sites (whitelist), and authenticated users all sites.

Can you please explain, why credential rules by computername doesn't work, although WG knows the computername.

Thanks, Peter

[adrien]

Hi

computername is a bit of a problem. Basically, there's no reliable way to get the windows computername of a computer remotely.

If the computer uses DHCP, and it's a windows computer, it will include its computername in its DHCP request, which WinGate then learns and remembers.

If the computer doesn't use DHCP, we only get the computername if the computer is using the WinGate client, or WinGate Management.

This is even though the computername may show in the activity panel. The reason is, that what is showing in activity is the result of a reverse DNS lookup (PTR) on the IP. In many environments this maps to the computername, but it's subtly different. for instance for an external connection in, it's an internet name.

So WinGate doesn't treat the reverse-DNS name as the computername.

We can't reliably use the reverse-DNS name in credential rules either, since the reverse DNS lookup can take an arbitrarily long time to complete or can fail. You probably don't want your connections waiting for the reverse lookup.

We could possibly snoop the computername out of say the NTLM protocol handshake... but then you're authing.

In fact...... I guess my question is, if you have single sign-on, why create such headaches for yourself with assumption / credential rules?

Why not just get your clients to auth? They won't be prompted for a user/pass if you're using NTLM.

[PeterG]

Hi Adrien,

thanks for your response with the detailed explanation of the problem with the computername.
I understand and it is not problem for me, to use the IP.

I did not have a AD, so the silent authentication only works, if the Server and the Client have set the same password for the user.
And for clients, that are used only by one user, i use assumption to authenticate, so it doesn't mater, if the password is wrong.

And there are als some Systemprocesses (e.g. AutoUpdate), which fail to authenticate. For that i have a whitelist of allowed sites, which are allowed for assumed users.

[adrien]

Hi

If you wanted silent authentication, without setting up windows accounts on your Wingate server for each LAN client, you can actually do this if you use the WinGate users and groups.

Since WinGate user database provider supports NTLM, if you create an account in there, with the same username and password as the client, then the client auth will be silent, and you get the benefit of not creating windows credentials on the WinGate server (which therefore affects things like shares etc). The WinGate accounts can only be used for WinGate access.

Regards

Adrien