We have Wingate 6.0.4 Enterprise on Win2k server (domain member), using remote AD user database and WWW Proxies. All clients are Win2k/XP using IE 5.5/6
I am trying to force the NTLM authentication applet rather than relying on the current windows login credentials - a replication of how the Java applet works with the Wingate database basically.
I have tried various security settings in IE (Prompt for username and password etc.) but wingate allows authentication straight through.
There are historical reasons for needing this, I do not wish to revert to the Wingate database as this was the last block to allowing users have control of password changes accros the enterprise.
Maybe we were not using the WGIC correctly when we trialed it but it
seemed to cause numerous problems client side, so we decided against this.
Any assistance is appreciated,
Mark.
Force NTLM Login applet
Moderator: Qbik Staff
13 posts
• Page 1 of 1
by highseatltd » May 19 05 2:20 am
I am having excatly the same problem. I have been searching forums for an answer but as of yet I have not found one.
Hope someone replys to your post.
Hope someone replys to your post.
- highseatltd
- Posts: 6
- Joined: May 19 05 2:17 am
by MattP » May 19 05 9:31 am
Hi,
We have a little authentication applet that may satisfy your requirements, you can download it here, http://www.wingate.com/downloads/qbikauth.exe
I hope it helps.
Regards,
Matt
We have a little authentication applet that may satisfy your requirements, you can download it here, http://www.wingate.com/downloads/qbikauth.exe
I hope it helps.
Regards,
Matt
- MattP
- Qbik Staff
- Posts: 991
- Joined: Sep 08 03 4:30 pm
applet
by highseatltd » May 19 05 11:07 pm
I'm not sure if I have missed something on the download, but that applet does not ask you for authentication from within your browser. It seems to be a stand alone util.
The problem is to force users to verify who they are when accessing the internet. It is not acceptable to assume that because they are logged in at a workstation it is they (the logged in user) who is accessing the internet. It could simply be someone passing by (i.e. a factory worker in our case).
We at the moment use Novell Border Manager which is configured to ask for authentication for each session. This presents the user with a login screen asking for user name and password. If a session occurs within 10 mins of the last session you are not required to authenticate again.
I hope this helps in further understanding our problem.
Ps. We are looking to move away from Novell in favour of Windows servers.
The problem is to force users to verify who they are when accessing the internet. It is not acceptable to assume that because they are logged in at a workstation it is they (the logged in user) who is accessing the internet. It could simply be someone passing by (i.e. a factory worker in our case).
We at the moment use Novell Border Manager which is configured to ask for authentication for each session. This presents the user with a login screen asking for user name and password. If a session occurs within 10 mins of the last session you are not required to authenticate again.
I hope this helps in further understanding our problem.
Ps. We are looking to move away from Novell in favour of Windows servers.
- highseatltd
- Posts: 6
- Joined: May 19 05 2:17 am
by adrien » May 20 05 10:18 am
Hi
There are 2 parts to getting that login window in IE. One you have touched on in terms of getting IE to prompt for username and password rather than automatically using the current credentials. I think some versions of IE or Outlook will always try the currently logged-in user's credentials first though.
Do the users show as authenticated in GateKeeper? It is possible that authentication is not being required, based on WinGate's WWW Proxy policies. To force NTLM, the policies for the WWW Proxy need to require users to be authenticated (rather than assumed or guest), and also obviously you need to enable NTLM in the WWW Proxy as well.
Does any of that help?
Adrien
There are 2 parts to getting that login window in IE. One you have touched on in terms of getting IE to prompt for username and password rather than automatically using the current credentials. I think some versions of IE or Outlook will always try the currently logged-in user's credentials first though.
Do the users show as authenticated in GateKeeper? It is possible that authentication is not being required, based on WinGate's WWW Proxy policies. To force NTLM, the policies for the WWW Proxy need to require users to be authenticated (rather than assumed or guest), and also obviously you need to enable NTLM in the WWW Proxy as well.
Does any of that help?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by highseatltd » May 20 05 8:50 pm
I have tried all the different options in IE - some cause you to be authenticated as guest and others authenticate you automatically.
It doesn't seem to matter which one is used, the only way I can get it to prompt for a username is to use the wingate local users.
With NTLM authentication enabled in wingate it always authenticates regardless of the options in Ie or the fact that you say must authenticate in wingate.
Nothing prompts for a username.
IE version is 6.0.29
It doesn't seem to matter which one is used, the only way I can get it to prompt for a username is to use the wingate local users.
With NTLM authentication enabled in wingate it always authenticates regardless of the options in Ie or the fact that you say must authenticate in wingate.
Nothing prompts for a username.
IE version is 6.0.29
- highseatltd
- Posts: 6
- Joined: May 19 05 2:17 am
Wingate crashed
by highseatltd » May 20 05 11:30 pm
I have only been using the eval version for a few days and after the above problems wingate seems to have crashed.
I am sorry to say that this product seems a bit unstable - will look for alternative.
I am sorry to say that this product seems a bit unstable - will look for alternative.
- highseatltd
- Posts: 6
- Joined: May 19 05 2:17 am
by labull » May 21 05 2:08 am
It's your choice of course to look for an alternative, but most users find WinGate very stable. I have three installs that generally run for months with no problems.
When you add in the outstanding support you get it's a great product from a great company.
Larry
When you add in the outstanding support you get it's a great product from a great company.
Larry
WinGate Lurker
- labull
- WinGate Guru
- Posts: 710
- Joined: Sep 06 03 1:03 am
- Location: Washington, DC - USA
by highseatltd » May 21 05 2:18 am
If you can fix the above problem of authentication then I will continue to use the product until trial period is over.
I am willing to forgive one incident.
I am willing to forgive one incident.
- highseatltd
- Posts: 6
- Joined: May 19 05 2:17 am
by adrien » May 27 05 10:29 am
Hi
If you turn on debug logging in the WWW Proxy, you should be able to see what is happening.
It seems very odd that WinGate wouldn't behave any differently whether or not you require auth in the policy. Have you selected in the policies tab in the WWW proxy that default rights "are ignored"? Otherwise you may find that the default system rights are granting permission if you had the "may be used instead" option selected (which is the default).
When you see the user in GateKeeper, what is the username showing?
If it is correct, and the account should be allowed, then there's probably nothing you can do about it... if IE insists on trying straight up with the current credentials, there's no way WinGate can tell if this is as a result of IE trying to save the user from typing in their password, or whether IE actually presented a dialog box for that... you would need to take that up with the developers of IE...
Adrien
If you turn on debug logging in the WWW Proxy, you should be able to see what is happening.
It seems very odd that WinGate wouldn't behave any differently whether or not you require auth in the policy. Have you selected in the policies tab in the WWW proxy that default rights "are ignored"? Otherwise you may find that the default system rights are granting permission if you had the "may be used instead" option selected (which is the default).
When you see the user in GateKeeper, what is the username showing?
If it is correct, and the account should be allowed, then there's probably nothing you can do about it... if IE insists on trying straight up with the current credentials, there's no way WinGate can tell if this is as a result of IE trying to save the user from typing in their password, or whether IE actually presented a dialog box for that... you would need to take that up with the developers of IE...
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
13 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot] and 18 guests