Solved: Re: Authentication popup by just reading Outlook e-mails?

keithsauer507 · ‎03-17-2011

Sometimes we have users call into our support asking what to do when they recieve an authentication pop up box when paging through Outlook emails. Most users use Outlook 2003 (it is on our roadmap to upgrade to 2010 later this year).

We use a S160 in transparent proxy mode and it is joined to the active directory domain. I think it has to do with certain e-mails with images that are downloaded from the internet. However, these users are logged into the domain, and the S160 is also a part of the domain. So shouldnt the S160 already KNOW who's logged in, and where because it exists on the same domain (and was joined with a domain admin account)?

Seems like they put in their windows / AD credentials and then it goes away. Why is this inconsistant for end users though? Its like some people get this, and some do not. Certain e-mails trigger it, while others do not.

Any idea's as to how to prevent this from happening? The system should be transparent to the end user. When we had a Barracuda web filter, it knew who you were because you were signed into the domain, and a little AD Agent application ran on the domain controller which told the web filter appliance who logged in and out in real time, and where.

Thank you for your assistance.

hallvard.solem · ‎03-21-2011

We had the same issue running ironport as transparent as well.

We are now running explicit proxy and the problem has gone away..

I also found out that it had to do with images hosted on external web sites to do.

View solution in original post

Ken Stieers · ‎04-06-2011

Yes, that's exactly what needs to be done. (though you can use the access log on the WSA for this too, or packet capture, also on the WSA, or google,

or ...

Here are mine (cut and pasted from my WSA)

(MSOffice\x2014)
Microsoft NCSI
SLSSoapClient

Those are for Office 2010, the MS network connectivity detction in Win7(keeps the "my computer says I don't have internet access" calls down),

Microsoft Activation respectively...

View solution in original post

jahasan · ‎03-17-2011

Hi,

I think this is due to the content of the link that the user is trying to access. Sometimes contents use flash or javascript which may not support NTLM authentication and therefore would give you a pop up for authentication. If you just copy and paste the link from the email in a browser do you get the same pop up?

I would recommend checking the authlog when this happens and see if it records any discrepancies. You may want to increase the log level to trace, before you check the authlog. You can increase the log level, using the 'logconfig' command from the CLI.

Kind Regards

Jaki

keithsauer507 · ‎03-18-2011

I notice sometimes it shows NT_STATUS_NO_SUCH_USER (PAM: 13) for some people.

But the authentication looks different like here are two seperate types of items I see in the logs:

Fri Mar 18 08:35:35 2011 Info: PROX_AUTH : - : NTLM CRAP authentication for user [webfilter.ourdomain.com]\[schmoej] returned NT_STATUS_NO_SUCH_USER (PAM: 13)
Fri Mar 18 08:35:36 2011 Info: PROX_AUTH : - : NTLM CRAP authentication for user [webfilter.ourdomain.com]\[schmoej] returned NT_STATUS_NO_SUCH_USER (PAM: 13)
Fri Mar 18 08:35:36 2011 Info: PROX_AUTH : - : NTLM CRAP authentication for user [webfilter.ourdomain.com]\[schmoej] returned NT_STATUS_NO_SUCH_USER (PAM: 13)
Fri Mar 18 08:51:26 2011 Info: PROX_AUTH : - : NTLM CRAP authentication for user [OURDOMAIN]\[schmoej] returned NT_STATUS_WRONG_PASSWORD (PAM: 9)

That's all these logs show, so if I change the log level I can get more information correct? How long can I run it with a more verbose log level, and will it cause performance degregation?

Ken Stieers · ‎03-18-2011

There was a recent thread here that stated that the user agent (aka browser) built into Outlook doesn't do authentication, and suggested creating an identity that doesn't require auth.

It mentioned other things that don't support auth as well, like Windows Update...

Not a thread... the manual... Chap 20, pg 3 of the "Cisco IronPort AsyncOS 7.1 for Web User Guide"

keithsauer507 · ‎04-06-2011

Yes, I have our WSUS server bypassed authentication, and our Anti Virus server - so they can get updates.

Can you create an identity not requiring authentication simply by checking the browser user agent string doing the http(s) request? I can simply use packetyzer to analyze the http traffic from Outlook to identify what it's user agent string is advertised as.

Ken Stieers · ‎04-06-2011