Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Feb 05 13 10:35 pm
We use WinGate 7 (last update) in a Windows 2008 Domain network.
In the log data we found 33% of WWW Proxy traffic witch "cs-username" blank.
We use the NTLM Authentication.
In WinGate 6 we haven't this problem.
Any ideas?
Many Thank,
Feb 06 13 2:58 am
HI
what is the status code for this, under sc-status. If it's 407 it's an auth challenge (1st step toward authentication).
Regards
Adrien
Feb 06 13 3:05 am
adrien wrote:HI
what is the status code for this, under sc-status. If it's 407 it's an auth challenge (1st step toward authentication).
Regards
Adrien
It's 200 and 407. What I must do?
Thanks
Feb 06 13 8:49 am
Hi
the 407 ones you can ignore, since you should notice the request is repeated close below in the log but that time with the username.
In NTLM / Negotiate auth, the request is made 3 times to establish a new authentication, so you'd see 2 x 407, then a 200 if the request is allowed, with the username. This is just the way http authentication works, so there's nothing you can do about that.
If there are entries where sc-status is 200 and there's no username, that means that auth isn't happening or required for that request. Some sites you should allow access to without auth, such as
a) windows update sites
b) online certificate checking sites
since these sites are used by parts of the client OSes that really don't deal well with authentication.
Regards
Adrien
Feb 12 13 11:03 pm
Can you please read the log in attach?
You can see that the website isn't windows update or online certificate cecking sites.
Thanks
Regards.
adrien wrote:Hi
the 407 ones you can ignore, since you should notice the request is repeated close below in the log but that time with the username.
In NTLM / Negotiate auth, the request is made 3 times to establish a new authentication, so you'd see 2 x 407, then a 200 if the request is allowed, with the username. This is just the way http authentication works, so there's nothing you can do about that.
If there are entries where sc-status is 200 and there's no username, that means that auth isn't happening or required for that request. Some sites you should allow access to without auth, such as
a) windows update sites
b) online certificate checking sites
since these sites are used by parts of the client OSes that really don't deal well with authentication.
Regards
Adrien
Feb 13 13 1:16 pm
Hi
I don't see any attached file.
the point is, that if the policy allows access to the site (no matter what sort of site it is) without authentication, then the user wouldn't be forced to authenticate, and you wouldn't learn the username.
Regards
Adrien
Feb 13 13 9:36 pm
Did you see it now?
Thanks.
adrien wrote:Hi
I don't see any attached file.
the point is, that if the policy allows access to the site (no matter what sort of site it is) without authentication, then the user wouldn't be forced to authenticate, and you wouldn't learn the username.
Regards
Adrien
- Attachments
-
- 20130212_000_WWW Proxy Server.zip
- Log file
- (23.96 KiB) Downloaded 361 times
Feb 13 13 9:48 pm
Hi
I see the file, but I see no evidence of there being any authentication done.
How are your users authenticating?
Did you set policy to require authentication?
Regards
Adrien
Feb 13 13 10:06 pm
Good morning,
we took some info from the log including the connections properly authenticated. If you want to send the complete log via email, but in private.
The problem for us is seen in the data in the log I sent.
The NTLM authentication is enabled.
Thank you.
adrien wrote:Hi
I see the file, but I see no evidence of there being any authentication done.
How are your users authenticating?
Did you set policy to require authentication?
Regards
Adrien
Feb 13 13 10:13 pm
Hi
it's probably quickest to resolve if we can look at your system remotely.
We normally recommend teamviewer for that. If you wish to go ahead with that, send an email to
support@wingate.com and we can pick it up from there.
If teamviewer is ok, send us the ID and password and we can connect straight away.
Regards
Adrien
Feb 15 13 3:07 pm
just for the benefit of others watching this thread.
the problem was due to missing account name in the active directory user objects (old ones that only had domain-compatible ones), so logging was correctly logging blank name.
Powered by phpBB © phpBB Group.
phpBB Mobile / SEO by Artodia.