cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5103
Views
0
Helpful
3
Replies
keithsauer507
Contributor

In Ironport S160, how do you reauthenticate to transparent proxy?

I temporarally was using a Mac on our network, and launched Google Chrome.  A popup of course came up to log into webfilter.  I typed in my AD username and password, and it let me on the internet.  However, I do not have my level of access (cannot download).


How can I re-authenticate?  I would like to try typing in the domain name with a \ in front of my user id, such as DOMAIN\username to see if maybe that's the trick.  (The pop up does not specify - so who knows).

We have the blocked pages redirect to a local IIS server, and it says:

Blocked Category:

Computers and Internet

User:

(Unauthenticated)10.1.3.54

User Group:

BLOCK_ADMIN_FILE_TYPE_11-DefaultGroup-Authenticated_Users-NONE-NONE-NONE-DefaultGroup

Base64Decode error '800a0001'

Bad Base64 string.

/ironport/blocked.asp, line 78

At the bottom of the page, my coworker swears it should provide the user with a re-authenticate button.  It never does though (either on this mac, or other unauthenticated PC's).

3 REPLIES 3
Ken Stieers
Engager

Taken from the HELP FILE:

Allowing Users to Re-Authenticate

AsyncOS for Web can block users from accessing different categories of websites depending on who is trying to access a website. In these cases, users successfully authenticate, but they are not authorized to access certain websites due to configured URL filtering in the applicable Access Policy. You can allow these authenticated users another opportunity to access the web if they fail authorization.

Note Only authenticated users are allowed to re-authenticate, not unauthenticated users.

You might want to do this for shared workstations that have multiple users, but the default account has limited access. If the default account on the workstation is blocked from a website due to restrictive URL filtering, the user can enter different authentication credentials that allow broader, more privileged access.

To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL Category or User Session Restriction” global authentication setting. The user sees a block page that includes a link that allows them to enter new authentication credentials. The Web Proxy evaluates those credentials against the authentication realms defined in the applicable Identity group, and if the new credentials allow greater access, the requested page appears in the browser. For more information, see Configuring Global Authentication Settings.

Note The Web Proxy evaluates the new credentials against the authentication realms defined in the applicable Identity group only. It does not compare them against all other Identity groups.

When a more privileged user authenticates and gets access, the Web Proxy caches the privileged user identity for different amounts of time depending on the authentication surrogates configured:

• Session cookie. The privileged user identity is used until the browser is closed or the session times out.

• Persistent cookie. The privileged user identity is used until the surrogate times out.

• IP address. The privileged user identity is used until the surrogate times out.

• No surrogate. The Web Proxy requests authentication for every new connection, but most browsers will cache the privileged user credentials and authenticate without prompting the user until the browser is closed. However, because the Web Proxy requests authentication for every new connection, there is an increased impact on the authentication server when using NTLMSSP.

Note To use the re-authentication feature with user defined end-user notification pages, the CGI script that parses the redirect URL must parse and use the Reauth_URL parameter. For more information, see Working with User Defined End-User Notification Pages.

Ken Stieers

Thanks,


When you reauthenticate is the username in the form of DOMAIN\username or can they just type in their active directory username?

We have the setting checked to allow users to reauthenticate.  There must be a coding error on our asp page in the base64decode routine.  I'm not sure why that's even needed, but I'm trying to figure it out.

Attached is a text file of our asp code.

Virus detected! File Removed.

Hmm, just for the heck of it, on our custom redirect page, I decided to print out the value of Reauth_URL prior to base64 decoding it.

by using this code: Request.QueryString("Reauth_URL")

I get -

That's right, just a small dash - when trying to download Firefox4 on a mac and getting to a blocked page.

Content for Community-Ad