Credential rule does not work

Discussion for beta versions of WinGate

Credential rule does not work

Postby PeterG » Nov 07 11 2:07 am

Hi,

i use WG7 with Windows User Connector as a proxyserver, without NAT an without DHCP (these two services will be done by the Router).

There i have created a Credential rule, which should assume requests from an client to a user.
But this doesn't work (i tried it by Computername, IP and MAC).
On a request the Activity shows the Computer with '( unknown )' and the browser asks for Authentication.

Do i need a special policy to handle this?

Regards,
Peter
Please excuse my not perfect English.
PeterG
 
Posts: 12
Joined: Oct 25 11 7:26 pm
Location: Austria

Re: Credential rule does not work

Postby adrien » Nov 07 11 8:42 am

Hi

the browser asking for authentication means you have a policy requesting it.

When a user is assumed in WinGate, we don't add the SID for "authenticated users", so if your policy checks user against "authenticated users" it will still not match. It will match however on users and groups, so you can still do group and user-level policy.

As for showing unknown, this should not happen, there should be only 2 checkboxes checked for an assumption rule - the rule enabled, and assume user to be ones. We've not had any issues matching on IP. for matching on computername, WinGate needs to know the computername (it gets this if it's the DHCP server). For MAC address, the address needs to be space-separated, e.g. xx xx xx xx xx xx.

Adrien
adrien
Qbik Staff
 
Posts: 5197
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Credential rule does not work

Postby PeterG » Nov 15 11 9:30 am

Hi Adrien,

thanks, this fixed it.
It woukld be helpfull, (and it would have saved me a lot of time) if the helpfile and/or the policy examples will show this behavior.
Is there a property like 'IsAssumed', to test, if the user is assumed? I can't find one.

Credential rules works only, if i specify the IP address. MAC does not work.
WG shows the computername in the Activity, so WG knows it. So i don't understand, why it can't be used for credential rules.

Thanks,
Peter
Please excuse my not perfect English.
PeterG
 
Posts: 12
Joined: Oct 25 11 7:26 pm
Location: Austria

Re: Credential rule does not work

Postby adrien » Nov 15 11 10:04 am

Hi

Due to the way we check membership etc, basically the only way to tell if a user is assumed is that the SID for authenticated users is not on their user token, and they aren't unknown.

It's not a very good way to tell I admit.

When we considered this before, we couldn't think of any reason why people need to know if a user was assumed.... obviously you have a use-case, maybe there's another way to do what you need?

Adrien
adrien
Qbik Staff
 
Posts: 5197
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Credential rule does not work

Postby PeterG » Nov 15 11 10:37 am

I use it, to allow assumed users only a list of specified sites (whitelist), and authenticated users all sites.

Can you please explain, why credential rules by computername doesn't work, although WG knows the computername.

Thanks, Peter
Please excuse my not perfect English.
PeterG
 
Posts: 12
Joined: Oct 25 11 7:26 pm
Location: Austria

Re: Credential rule does not work

Postby adrien » Nov 15 11 3:17 pm

Hi

computername is a bit of a problem. Basically, there's no reliable way to get the windows computername of a computer remotely.

If the computer uses DHCP, and it's a windows computer, it will include its computername in its DHCP request, which WinGate then learns and remembers.

If the computer doesn't use DHCP, we only get the computername if the computer is using the WinGate client, or WinGate Management.

This is even though the computername may show in the activity panel. The reason is, that what is showing in activity is the result of a reverse DNS lookup (PTR) on the IP. In many environments this maps to the computername, but it's subtly different. for instance for an external connection in, it's an internet name.

So WinGate doesn't treat the reverse-DNS name as the computername.

We can't reliably use the reverse-DNS name in credential rules either, since the reverse DNS lookup can take an arbitrarily long time to complete or can fail. You probably don't want your connections waiting for the reverse lookup.

We could possibly snoop the computername out of say the NTLM protocol handshake... but then you're authing.

In fact...... I guess my question is, if you have single sign-on, why create such headaches for yourself with assumption / credential rules?

Why not just get your clients to auth? They won't be prompted for a user/pass if you're using NTLM.
adrien
Qbik Staff
 
Posts: 5197
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Credential rule does not work

Postby PeterG » Nov 16 11 2:58 am

Hi Adrien,

thanks for your response with the detailed explanation of the problem with the computername.
I understand and it is not problem for me, to use the IP.

I did not have a AD, so the silent authentication only works, if the Server and the Client have set the same password for the user.
And for clients, that are used only by one user, i use assumption to authenticate, so it doesn't mater, if the password is wrong.

And there are als some Systemprocesses (e.g. AutoUpdate), which fail to authenticate. For that i have a whitelist of allowed sites, which are allowed for assumed users.
Please excuse my not perfect English.
PeterG
 
Posts: 12
Joined: Oct 25 11 7:26 pm
Location: Austria

Re: Credential rule does not work

Postby adrien » Nov 16 11 7:22 am

Hi

If you wanted silent authentication, without setting up windows accounts on your Wingate server for each LAN client, you can actually do this if you use the WinGate users and groups.

Since WinGate user database provider supports NTLM, if you create an account in there, with the same username and password as the client, then the client auth will be silent, and you get the benefit of not creating windows credentials on the WinGate server (which therefore affects things like shares etc). The WinGate accounts can only be used for WinGate access.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5197
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate Beta

Who is online

Users browsing this forum: No registered users and 1 guest

cron