Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6407
Views
5
Helpful
4
Replies

Machine name instead of user name on WSA proxy

Nitin Sharma
Level 1
Level 1

‎12-09-2015 12:10 AM

Hi Everyone,

 

We have WSA(S680) 8.5.2-103 and its deployed in both explicit and transparent mode.We are using default setting for  authentication as below .The issue we are facing is that sometimes user gets blocked because it goes with machine name and instead username.Can anyone help me with this issue.

Credential Cache Options:
Surrogate Timeout: 3600 seconds
Client IP Idle Timeout: 3600 seconds
Cache Size: 15000 entries
5 people had this problem
Labels:
0 Helpful
4 Replies 4

Nitin Sharma
Level 1
Level 1

‎12-09-2015 12:29 AM

just to add one more thing to above query we have even authentication bypass the microsoft related updates.

0 Helpful

Atazazuddin Shaikh
Cisco Employee
Cisco Employee
In response to Nitin Sharma

‎12-09-2015 05:40 AM

Enclosing the details re. this issue below:

Background info:

Microsoft introduced a new feature into Windows 7 and and above called "Network Connectivity Status Indicator"(NCSI), which shows up as a little globe icon that appears over the network interface icon in the system tray. Immediately after login, this feature will attempt to request data from the Internet in order to know if there is Internet connectivity.

 There are known issues with NCSI, where it will send machine credentials instead of user credentials when NTLM authentication is required.

Microsoft KB:

https://technet.microsoft.com/en-us/library/cc766017%28WS.10%29.aspx

Please see the instructions below to workaround the issue:

 **Local workstation *

  1. Launch the Registry Editor by searching for "regedit" from the task menu. You must right-click and select "Run as Administrator".
  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

  3. Under the Internet key, double-click "EnableActiveProbing", and then in Value data, type: 0.
  4.  Click "OK".
  5. Restart the computer.

 These changes can be pushed to all clients as a Global Policy Object (GPO) using the Domain Controller.

 Workaround on the WSA

 Create an Identity for NCSI and exempt it from authentication based on the URL or its User Agent.

 Known URLs to which NCSI Connects

ncsi.glbdns.microsoft.com
newncsi.glbdns.microsoft.com
www.msftncsi.com

 NCSI User Agent

 Microsoft NCSI

Regards,

Zack

Nitin Sharma
Level 1
Level 1
In response to Atazazuddin Shaikh

‎12-09-2015 06:20 AM

So bypassing the above links and setting this registry value of EnableActiveProbing",  to 0 will solve the issue of machine name caching on proxy??

0 Helpful

Chris Illsley
Level 3
Level 3
In response to Nitin Sharma

‎12-31-2015 05:33 AM

Hi Nitin,

Doing one of the three will work.

1) Registry entry will stop probe

2) Bypassing authentication for URLs will do just that, the caveat is in the word "known" there may be others now or in the future.

3) Bypassing for the User Agent will mean that anything with a user agent of "Microsoft NCSI" will not authenticate.

Your call which one is best, I think I'd choose the user agent bypass, but it depends on your environment.

Thanks
Chris

0 Helpful
Customers Also Viewed These Support Documents
Top