I have a new Sony Vaio laptop with Windows 7 Professional 64-bit. It came with Internet Explorer 9 and I also went ahead and performed all windows updates on the machine. I joined it to the domain and I am logged in as my domain user. In Ironport I am attached to the Information Technology group which has pretty wide open access to the Internet compared to other departments.
I am having trouble downloading things like Firefox 11, Notepad ++, etc. It is taking me to a page that the website I am trying to access is blocked. Blocked category: Freeware and Shareware. On my destkop PC which is also logged into the domain, these same sites work fine.
I'm noticing on the laptop that the User string is our DOMAINNAME\computername@Windows. User Group: BLOCK_ADMIN_FILE_TYPE_11-DefaultGroup-Authenticated_Users-NONE-NONE-NONE-DefaultGroup. Reauth_URL: base64decode error '800a0001' Bad Base64String /ironport/blocked.asp, line 78.
Normally when a user is blocked the User string is DOMAINNAME\username@windows. See for some reason this laptop is authenticating as the computername and not the username. Kind of like when you setup WPA2 Enterprise Wifi and in the MSCHAP properties you can choose User, Computer or User or Computer authentication.
Is there a simalar setting to change authentication to pass my username and not my computername?
Also the Reauth URL rarely ever works. I'd say 99.9% of the time its a bad base64 string. Once in a blue moon it will work and allow you to type in domain credentials to fix these sort of issues.
Are you using AsyncOS for Web 7.5 by chance? If you are, this might fix your problem. In the 7.5 release notes, in the New Features and Enhancements section, there is this enhancement:
In AsyncOS for Web 7.5, you can configure a timeout value to use when it processes machine credentials for authentication from Windows machines that uses NCSI.
Windows 7 and Windows Vista machines have a feature called Network Connectivity Status Indicator (NCSI). When clients on your network use NCSI and the Web Security appliance uses NTLMSSP authentication, you should configure the appliance so it uses a relatively small timeout value for machine credentials. Do this using the advancedproxyconfig > authentication CLI command:
For more information, see the “Working with Windows 7 and Windows Vista” section in the “Authentication” chapter of the Cisco IronPort AsyncOS for Web User Guide.
[Defect ID: 75073]
I don't know if this is the problem or not, but it's worth a gander.
We have an S160 and its on the latest version AsyncOS 7.1.3-021. Under Available Upgrades there's nothing except for a Hard Drive Firmware Upgrade (build 002).
I was able to download a file on my desktop pc, put it on a usb stick and transfer it to my laptop. But I'd rather like the laptop to authenticate properly, like my desktop does - without having to resort to creating a static IP reservation for it and assigning that IP to a different Identity.
I'm looking at the internal notes on the bug referenced in the enhancement I just gave you and an engineer wondered about a couple different workarounds with Microsoft's NCSI technology (if you don't have AsyncOS for Web 7.5). They're not ideal and might not work, but either way, you should contact Cisco IronPort Customer Support. They can confirm whether or not NCSI is the cause of your issue, and either let you upgrade to 7.5 if they think that's a good solution for you, or mention the other (not so ideal) workarounds in case that's a better solution for you.
In 7.5, if you run through the advancedproxyconfig > authentication cli command, you'll see the machine credentials last for 10 seconds... After that ADAgent credentials should stick.
You can request that your device be provisioned for 7.5 by contacting the TAC.
If you want to hold of, I'd create an Identity that doesn't require auth, and add the follow agent string to it: "Microsoft NCSI"
Ok I'm curious why Microsoft NCSI is the culpret.
I tried Google Chrome as well, which isn't even a Microsoft product. While it works fine on my Windows 7 desktop PC plugged into the network, on my wifi enabled laptop it gives me the same error as IE. For example:
Blocked Category: Online Communities
Normally its supposed to allow almost any site (I'm in the IT group).
Sometimes there is a reauthenticate user link and that helps. But 90% of the time it's not there and says Base64 decode error.