WinGate Forums

[jremey1]

I am currently evaluating WinGate solely for authenticating and logging internet web access. We are running WinGate on our test server, a Windows 2003 standard server (not a domain controller). Please let me state that I have browsed this forum and have already check the many other ntlm auth posts.

I have configured Windows authentication and can see all of our active directory users and groups in the list.

Under the web proxy service I have NTLM checked as the auth method, and configured its policy to allow everyone but force authentication, ignore system policy.

When I test with a web browser (in this case Internet Explorer 7) it pops up an authentication dialog. I try to login with my AD username and password, but it fails and I get the error screen.

Oddly enough, if I leave it alone and simply hit the enter key, it loads the page! The history log shows the web page I accessed under my username, but the system messages shows an authentication failure.

My question is - how the heck is this supposed to work? I was hoping for transparent auth, where windows automatically supplies the current logged in user credentials. This doesn't seem to work, and we are presented with a manual log in dialog, which fails login as well.

What are we doing wrong? Oh... I have not tried the goofy little client applet. We will be forcing proxy config via Windows 2003 group policy. No, we will not install the applet on every client.

Thanks,
Jon

[logan]

Have you changed the WinGate engine to login with a domain administrator account?

Is the WinGate computer a member of the active directory?

Is the DNS setting of the WinGate computers Internal network adaptor pointing to the ADDNS server?


It's good to hear that you won't be installing the WinGate Internet Client. I only recommend using this if you need application level control over client internet access. Otherwise, you will get better results using NAT and proxies.

[jremey1]

Yes to all of those questions. WinGate can get the user list from AD without issue. It seems like WinGate is trying to authenticate to the local server first, rather than the AD user accounts.

It is odd.

[adrien]

Hi

WinGate uses the OS-provided SSPI interface for NTLM.

I'm pretty sure that depends then on things like what account the WinGate computer is running in, but also whether users specify a domain name when logging in.

[jremey1]

All workstation log in to the AD domain, which provides username, password, and domain.

What account should WinGate be running under?

[jremey1]

Well, I cannot spend any more time on this. We will have to look at other products.

Thanks for your assistance.

[adrien]

WinGate needs to run under an account that has domain privileges for authentication.

Normally a domain admin account.

Adrien