Yes, user is part of the

sargentmw · ‎10-23-2014

I have a single authentication realm set up for all of my users. I have my Ironport WSA in transparent mode using WCCP from my ASA's. Every single user authenticates without a prompt except for one generic user that several workstations use. When they try to go to the internet they get prompted with a dialogue box from IE. If they put in the proper credentials, they can access the internet. I need to find out why they are getting prompted in the first place and that the Single Sign on feature of IE isn't working.

Steven Williams · ‎10-23-2014

Is the generic user part of the domain? have you verified user membership group wise?

sargentmw · ‎10-23-2014

Yes, user is part of the domain and group memberships have been verified. If I do a policy trace for that user, the Ironport returns the correct user group membership and identity policy. And to add some additional information I forgot, if anyone else logs on to that computer it works fine...its just for this user.

Steven Williams · ‎10-23-2014

Is there something being done specifically with this user account via group policy? Does entering in the generic creds actually work when prompted?

Something we use to go was assign a dummy proxy to different routes to the windows router table as this account was a generic used everywhere account we didn't want it to get to the internet cause we could track it to a specific user so we just didn't allow it period.

Ken Stieers · ‎10-23-2014

I seem to remember something about a limit of 8 IPs to a user at any one moment...

I'm still digging for the docs on it.

Steven Williams · ‎10-23-2014

If that's the case, you may have exclude these devices from authentication.

sargentmw · ‎10-27-2014

Have you found out if there is an IP limit? This is still happening and is causing some service disruption at this time.

Ironport Transparent Proxy and Authentication Realm Single Sign on