I am using wingate 5.2.3 (build 901) I have setup java authentication for user logon. I have setup user accounts. My server is running windows 2000. I am running a straight manual proxy server. No ENS, DHCP. I followed the instructions on setting up java authentication and it works by forcing the user to logon, now the problem.
When the user closes the wingate login box and the web browser (IE 6.xx) another user can come to the machine and click the browser and automatically go on. This happens with 2000 and xp home/pro client machines.
Any ideas? In dire straits school will be starting soon.
java authentication problems
Moderator: Qbik Staff
8 posts
• Page 1 of 1
java authentication problems
by jireland » Aug 20 04 2:52 am
- jireland
- Posts: 3
- Joined: Jul 24 04 5:39 am
by Pascal » Aug 20 04 11:25 am
Two thoughts about this.
1. Between the closing of the last session for a machine and the machine's complete removal there is a small amount of time in which the machine is dropped back to an 'assumed' status before disappearing completely. If your policies do not require full authentication, but only an assumed status - this could create the problem you are seeing.
2. Secondly, if you start IE and get authenticated with the WinGate Server that client machine is treated as authenticated. If you then have another session (From MSN Messenger for example) opening up which might not be readily visible from the client machine this will keep the authentication level active on the server even if you close IE and the login. (I believe though, if you explicitly log off that it will clear the authentication - but will have to verify this)
How much time has elapsed between the user closing all windows and the next person using the computer ? Also, if you look at GateKeeper at that time - are there any sessions showing as open for that machine ?
1. Between the closing of the last session for a machine and the machine's complete removal there is a small amount of time in which the machine is dropped back to an 'assumed' status before disappearing completely. If your policies do not require full authentication, but only an assumed status - this could create the problem you are seeing.
2. Secondly, if you start IE and get authenticated with the WinGate Server that client machine is treated as authenticated. If you then have another session (From MSN Messenger for example) opening up which might not be readily visible from the client machine this will keep the authentication level active on the server even if you close IE and the login. (I believe though, if you explicitly log off that it will clear the authentication - but will have to verify this)
How much time has elapsed between the user closing all windows and the next person using the computer ? Also, if you look at GateKeeper at that time - are there any sessions showing as open for that machine ?
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by wyldcyde » Oct 01 04 4:03 am
hi there, this issue needs to be addressed pronto.
we used to get this problem occasionally but now its happening constantly on our public terminals. Even if the user supposedly logs off and then someone only comes along an hour later it still shows as authenticated in wingate. It does not happen system wide but it also happens on different machines. We have a number of laptop users and they have the same problem. People are definitely logging out properly and i've tested it myself.
I was hoping this issue would get sorted out with wingate6 but it now seems worse.
Even if there is no traffic shown on gatekeeper, ie via msn or yahoo, the session still stays as authenticated.
That 'short time' you mentioned is a bug not feature in my opinion, its frustrating because people pay by the hour for internet here and at the moment wingate is not fully releasing the logins on some computers.
I actually have a laptop in front of me now that is still able to surf the net through wingate even after i've logged off. I have to terminate the session from gatekeeper on the server and even then the session will probably just open again without authenticating. Just says 'assumed' in wingate. NO, these users are not given 'user may be assumed' right in policies, the groups they belong to supposedly must be authenticated.
I've brought up this issue before but to no avail.
thanks
WyldCyde
we used to get this problem occasionally but now its happening constantly on our public terminals. Even if the user supposedly logs off and then someone only comes along an hour later it still shows as authenticated in wingate. It does not happen system wide but it also happens on different machines. We have a number of laptop users and they have the same problem. People are definitely logging out properly and i've tested it myself.
I was hoping this issue would get sorted out with wingate6 but it now seems worse.
Even if there is no traffic shown on gatekeeper, ie via msn or yahoo, the session still stays as authenticated.
That 'short time' you mentioned is a bug not feature in my opinion, its frustrating because people pay by the hour for internet here and at the moment wingate is not fully releasing the logins on some computers.
I actually have a laptop in front of me now that is still able to surf the net through wingate even after i've logged off. I have to terminate the session from gatekeeper on the server and even then the session will probably just open again without authenticating. Just says 'assumed' in wingate. NO, these users are not given 'user may be assumed' right in policies, the groups they belong to supposedly must be authenticated.
I've brought up this issue before but to no avail.
thanks
WyldCyde
- wyldcyde
- Posts: 29
- Joined: Oct 29 03 6:54 am
by Pascal » Oct 01 04 10:16 am
Which version are you currently using? (Build number as well, there have been a few 6.0.x releases)
If somebody comes up as assumed then something is causing them to be granted that status. If your policies say that a user MUST be authenticated; then something else must be allowing an assumed status through.
So, few questions:
1. Do you use assumed users (IP/Machine) at all.
2. What methods do you use to authenticate? (Java client / basic / ntlm / etc.)
You can send a copy of your WinGate registry to me, I'll have a look through it and test your policy setup.
If somebody comes up as assumed then something is causing them to be granted that status. If your policies say that a user MUST be authenticated; then something else must be allowing an assumed status through.
So, few questions:
1. Do you use assumed users (IP/Machine) at all.
2. What methods do you use to authenticate? (Java client / basic / ntlm / etc.)
You can send a copy of your WinGate registry to me, I'll have a look through it and test your policy setup.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by wyldcyde » Oct 01 04 8:19 pm
sometimes the users will show as assumed on gatekeeper and sometimes as authenticate, but the important thing is that i can (usually) see on gatekeeper that the java login has been terminated... in other words there is no 'java login' under the user name so i know that the user has logged off but the connection is still authenticated.
Sometimes from gatekeeper it looks like the user is authenticated and logged on via java but then i goto the computer and IE is actually closed, when i load up IE it just goes straight through without asking for java authentication.
using latest version of wingate. 6.0.3 (1005)
using java authentication. i have a about 3 assumed ip addresses but i have tried removing all assumed users and groups from wingate policies and problem still not resolved.
the temporary solution i have is to tell users to first close all internet related programs on their computer, including IE then lastly logoff the java window and then close that... of course if there is something else internet related running in the background then that doesn'w work so well.
from my testing i see that gatekeeper is not updating quickly enough after a user logs off so the next user can jump on and use the previous users session.
Eli
Sometimes from gatekeeper it looks like the user is authenticated and logged on via java but then i goto the computer and IE is actually closed, when i load up IE it just goes straight through without asking for java authentication.
using latest version of wingate. 6.0.3 (1005)
using java authentication. i have a about 3 assumed ip addresses but i have tried removing all assumed users and groups from wingate policies and problem still not resolved.
the temporary solution i have is to tell users to first close all internet related programs on their computer, including IE then lastly logoff the java window and then close that... of course if there is something else internet related running in the background then that doesn'w work so well.
from my testing i see that gatekeeper is not updating quickly enough after a user logs off so the next user can jump on and use the previous users session.
Eli
- wyldcyde
- Posts: 29
- Joined: Oct 29 03 6:54 am
by adrien » Oct 02 04 3:51 pm
Hi
If you look in GateKeeper after a user logs off normally, do you still see any sessions from them? Normally the machine will still show, go grey, then after 30s disappear.
However, if your policies force people to authenticate, then even if the machine is still there showing as grey, any new session from that IP won't be deemed authenticated (only assumed), so the policies would still require a login.
I suspect this is a policy configuration issue.
Or do you still see connections showing from the client machine?
Adrien
If you look in GateKeeper after a user logs off normally, do you still see any sessions from them? Normally the machine will still show, go grey, then after 30s disappear.
However, if your policies force people to authenticate, then even if the machine is still there showing as grey, any new session from that IP won't be deemed authenticated (only assumed), so the policies would still require a login.
I suspect this is a policy configuration issue.
Or do you still see connections showing from the client machine?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by wyldcyde » Oct 02 04 9:11 pm
i also thought it was a policy configuration problem, the thing is that i didnt get this problem as frequently when on wingate5.
i'm going to re-install the server today so before i do that i will try changing the policy. At the moment i have group policies on the www proxy service plus group policy settings on default system rights and have it set to "may be used instead" on the www proxy. i will try removing policy from www proxy and just relying on default system rights.
I must stress that this setup has worked before, its just after upgrading to wingate6.0.3 that this problem is rife.
In gatekeeper the session will go grey if the user has closed down all internet related software on the client pc, if however there is something still running like msn, or webpage update (or spyware) in the background then once they click loggoff on java client, they will still show as authenticated on gatekeeper.
One of the issues seems to be that when they logg off on the java client, gatekeeper isn't terminating the entire session, often it will only report that "java login" is gone but the rest of the session is alive.
Some computers also have the entry "http://" in gatekeeper, that is obviously not a site, its just something that appears under their computer name/ip and that "http://" tends to keep the connection alive.
I've tried putting timeouts on sessions for www proxy but if i use timeouts then people get disconnected from their session while they're still online, for example if someone is writing/reading an email.
thanks
Eli
i'm going to re-install the server today so before i do that i will try changing the policy. At the moment i have group policies on the www proxy service plus group policy settings on default system rights and have it set to "may be used instead" on the www proxy. i will try removing policy from www proxy and just relying on default system rights.
I must stress that this setup has worked before, its just after upgrading to wingate6.0.3 that this problem is rife.
In gatekeeper the session will go grey if the user has closed down all internet related software on the client pc, if however there is something still running like msn, or webpage update (or spyware) in the background then once they click loggoff on java client, they will still show as authenticated on gatekeeper.
One of the issues seems to be that when they logg off on the java client, gatekeeper isn't terminating the entire session, often it will only report that "java login" is gone but the rest of the session is alive.
Some computers also have the entry "http://" in gatekeeper, that is obviously not a site, its just something that appears under their computer name/ip and that "http://" tends to keep the connection alive.
I've tried putting timeouts on sessions for www proxy but if i use timeouts then people get disconnected from their session while they're still online, for example if someone is writing/reading an email.
thanks
Eli
- wyldcyde
- Posts: 29
- Joined: Oct 29 03 6:54 am
8 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests