cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4311
Views
5
Helpful
4
Replies
Nitin Sharma
Beginner

Machine name instead of user name on WSA proxy

Hi Everyone,

 

We have WSA(S680) 8.5.2-103 and its deployed in both explicit and transparent mode.We are using default setting for  authentication as below .The issue we are facing is that sometimes user gets blocked because it goes with machine name and instead username.Can anyone help me with this issue.

Credential Cache Options:
Surrogate Timeout: 3600 seconds
Client IP Idle Timeout: 3600 seconds
Cache Size: 15000 entries
4 REPLIES 4
Nitin Sharma
Beginner

just to add one more thing to above query we have even authentication bypass the microsoft related updates.

Enclosing the details re. this issue below:

Background info:

Microsoft introduced a new feature into Windows 7 and and above called "Network Connectivity Status Indicator"(NCSI), which shows up as a little globe icon that appears over the network interface icon in the system tray. Immediately after login, this feature will attempt to request data from the Internet in order to know if there is Internet connectivity.

 There are known issues with NCSI, where it will send machine credentials instead of user credentials when NTLM authentication is required.

Microsoft KB:

https://technet.microsoft.com/en-us/library/cc766017%28WS.10%29.aspx

Please see the instructions below to workaround the issue:

 **Local workstation *

  1. Launch the Registry Editor by searching for "regedit" from the task menu. You must right-click and select "Run as Administrator".
  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

  3. Under the Internet key, double-click "EnableActiveProbing", and then in Value data, type: 0.
  4.  Click "OK".
  5. Restart the computer.

 These changes can be pushed to all clients as a Global Policy Object (GPO) using the Domain Controller.

 Workaround on the WSA

 Create an Identity for NCSI and exempt it from authentication based on the URL or its User Agent.

 Known URLs to which NCSI Connects

ncsi.glbdns.microsoft.com
newncsi.glbdns.microsoft.com
www.msftncsi.com

 NCSI User Agent

 Microsoft NCSI

Regards,

Zack

So bypassing the above links and setting this registry value of EnableActiveProbing",  to 0 will solve the issue of machine name caching on proxy??

Hi Nitin,

Doing one of the three will work.

1) Registry entry will stop probe

2) Bypassing authentication for URLs will do just that, the caveat is in the word "known" there may be others now or in the future.

3) Bypassing for the User Agent will mean that anything with a user agent of "Microsoft NCSI" will not authenticate.

Your call which one is best, I think I'd choose the user agent bypass, but it depends on your environment.

Thanks
Chris

Create
Recognize Your Peers
Content for Community-Ad