WinGate Forums

[jayski]

We are running Wingare 6.14 Build 1094 purely as a proxy server.

Until last wek when we tested IE& we had no problems whatsoever.

When an IE7 machine attempts to access the web via the Wingare WWW Proxy a login box is displayed and the log reports:-

11/16/06 08:25:36 192.168.10.155 Guest 0000000006 Failed authorisation: ==== AUTH failed The token supplied to the function is invalid

Can anybody help please?

Thanks

Alan

[Nev]

We are running Wingare 6.14 Build 1094 purely as a proxy server.

Until last wek when we tested IE& we had no problems whatsoever.

When an IE7 machine attempts to access the web via the Wingare WWW Proxy a login box is displayed and the log reports:-

11/16/06 08:25:36 192.168.10.155 Guest 0000000006 Failed authorisation: ==== AUTH failed The token supplied to the function is invalid

Can anybody help please?

Thanks

Alan

G'day Alan,

How are your users' recognised in Wingate?

Are they just guests or is the Windows Db in use as assumed users.

Have IE7 here on Win2k3 ok, not that I use it for anything but WSUS.

[jayski]

Hi Nev,

They are database users from our 2K AD

If I revert back to IE 6 all is OK and my username is picked up automatically and logged correctly in the logs.

Thanks

Alan

[jayski]

I can 'fix' the problem by doing this:-

Tools - Internet Options - Advanced and remove the tick from Enable Integrated Windows Authentication

and no login box appears and my username is logged correctly

[Nev]

I can 'fix' the problem by doing this:-

Tools - Internet Options - Advanced and remove the tick from Enable Integrated Windows Authentication

and no login box appears and my username is logged correctly

Hi Alan,

Good tip to keep handy!.

Actually mine is on for Wingate but will watch as clients install IE7 now to see if the same mismatch occurs.

[jayski]

Just checked another few machines with IE7 and some work with the Enable Integrated Windows Authentication box ticked and some don't - very confused!

[rsenio]

I am also having this issue. I've opened a case with support and in turn they have setup a mock AD with my exported Wingate registry. I've just heard back that he wasn't able to reproduce the problem. So besides modifying the default install of IE7 to turn off Integrated Windows Auth, does anyone have other troubleshooting information to provide? I've tried everything I can think of. And the weird part is that all IE6 clients are fine. Which leads me to believe that it was a Wingate issue. But who knows.

[adrien]

Hi

One thing that couldbe really helpful to track down if it's a WinGate issue is a packet capture of the traffic involved in this between the IE7 client and WinGate.

It's an AD on 2000 correct? We had some problems in the past with buffer lengths on 2003 server, since the tokens it passes around are much bigger than for 2000. However, it's possible that depending on your domain structure etc, there's a size issue again. Looks like currently there's a 2kB limit on token size....

Packet capture will confirm this. If you need recommendation for a capture utility, either CommView, or Ethereal.

Adrien

[rsenio]

Our Active Directory is hosted on a Windows 2003 box. It's odd that IE6 works flawless and IE7 doesn't.

[adrien]

PS

I'd also definitely try wingate 6.2. Looking through the code again, that error gets called when a received chunk from the client is invalid, and we have an 8k limit on that, and won't even try the chunk if it is bigger than that. so therefore the chunk from the client isn't over-sized.

it's possible that instead there was a problem with the connection staying up.

NTLM requires that the client stay connected to the server throughout the whole request->challenge->response cycle. If the connection got broken, then the final response would become invalid. It's possible that IE7 behaves differently in this aspect.

We did make some changes to NTLM auth in 6.2 in the issue of keeping client connections, which may actually help here.

Adrien

[rsenio]

Hmm ok. I'm still running 6.1.4 I didn't realize that there was a new version. I'm surprised the support tech didn't inform me of that. Let me try that.

[rsenio]

nope still the same issue

[adrien]

It was released yesterday.

Can you try the packet capture? That's about the only way I can think to track this down.

Adrien

[rsenio]

Installed Comview on a PC that has IE7. Changed the setting back to default which is enable Integrated Windows Authentication. Ran comview and then launched IE7. The first connection to the proxy is 3,740 bytes. Immediatly I get a login box, in which I type the username and password of the account logged into that PC. However the login box comes up repeatedly and no matter how many times I enter in the name and password it just ends up failing.

[adrien]

Hi

Can you send a packet capture of this to my email at adrien at qbik dot com please?

Thanks

Adrien

[rsenio]

Using Commview I've saved a brief capture and emailed it to you.

[adrien]

Hi

Tried to reply but got an error from your mailserver "Relaying denied" - you might want to look at that, since if your MX server blocks messages for you because it thinks that's a relay, then it doesn't think it's your mail server.

Anyway, looked into the capture. The first chunk sent by the client doesn't look like any NTLM auth chunk I've ever seen before. So WinGate looks to be bouncing it, and closes the connection, so the client doesn't get any option to try anything else.

What sort of AD environment is this? Is it using kerberos, or just native AD?

Adrien

[rsenio]

Yeah, sorry we were having some major ISP issues today. We are using Kerebos in our 2003 active directory enviroment.

[adrien]

Hi

Apparently no version of IE can negotiate Kerberos with a proxy

http://support.microsoft.com/kb/321728

Are these clients being intercepted, or are they connecting to the proxy?

If there are some working and some not, you'll probably find the ones that work are using NAT (not configured to use a proxy) - or vice-versa.

Looks like another MS "feature" to me.

Adrien

[rsenio]

OK, unless I am completely wrong and we are using NTLM. But if I load IE6 on that PC everything works fine. All our clients go through Wingate. It's been setup as a classic proxy (Internet Explorer settings have to have proxy settings in it) We've had Wingate here for years, never have I seen something like this in the past

[adrien]

I think what's happening is that IE6 knows it wont do kerberos, so when it gets a Proxy-Authenticate: Negotiate tag back from the server, it only sends an NTLM response.

but it looks like IE7 sends a Kerberos one, which breaks.

I think this is why unchecking "use integrated windows authentication" sometimes help.

If IE knows it's talking to a proxy it behaves differently to if it thinks its talking to a web server as well. So hence the possible difference in behaviour between intercepted vs proxy configuration.

Adrien

[rsenio]

yes unchecking use integrated windows authentication works fine. As it is right now (I checked with a few people) Kerebos is the default auth in our AD, however NTLM isn't turned off or blocked. I was trying to avoid having to change the default IE7 install in order to get it to work with our proxy.

[adrien]

Hi

It's possible if we modify our challenge to not include

Proxy-Authorization: Negotiate

but only

Proxy-Authorization: NTLM

That may fix it. Can I send you a test replacement WinGate.exe to try?

Adrien

[rsenio]

Sure, I will test it after hours here.

[adrien]

OK, it's on its way.

Regards

Adrien

[rsenio]

Preliminary tests show that it's working with the changes you have described. The only thing I do notice is that the user shows up with the correct userID and machine name but it's (assumed). Although web browsing works without changing the defaults now

[adrien]

Does it show "(assumed)" even when the user is connected, or is this after the client has disconnected?

Adrien

[rsenio]

Yes, it's showing assumed during the whole web surfing process.

[adrien]

That's not a good sign.

If it was using NTLM, it would show as Authenticated[NTLM]

Do the policies require users to be authenticated or just assumed?

[rsenio]

The policies are just assumed, but I've also switched it to must be authneticated and it's the same result. Should I stop and start the wingate service after I make that sort of change?