User authentication petition comes blank or with PC name

slizarraga · ‎05-02-2012

I have an WSA S370 with Version: 7.1.3-021. The users use Single Sign on their PC and the configuration is in explicit mode, configured in the Internet Explorer. Also the identity use cache with the IP address.

The problem that happens sometimes is that a user (any) make the petition with no username. Because of that they fall in the Default Policy and some (the ones with more privileges) have problems because they get blocked for accesing some websites.

A similar case happens with another group of users, the petition comes in with the PC name as the username, instead of the real one; the effect: the users fall in the categorization and fall in the Default Policy.

Is there a way to check if something is going wrong with the WSA?

I am attaching how it looks in the message tracking.

Sergio

sfiebran · ‎05-03-2012

From your description this sounds like a race condition on startup when surrogates are usual getting created for the user once they login.

1st problem here is, that few applications are not supporting NTLM authentication, but might be within the autostart (then you have no username) or preform the first request. For this, the best workaround is to identify these applications and create an e.g. Custom URL Category to bypass authentication for this client appllication to their specific destination URL(s). Another method is to use the according User Agent as criteria if feasible.

The 2nd issue, having machine names rather usernames in authentication isn't that easy, as this is actually allowed by Active Directory, but not something Administrators do like.

Starting with Vista, if users e.g. turn on their PC and thus haven't logged in yet, Windows will start using the respective machine account (as part of the domain) for any authentication that background application may require against the proxy. Once the user logged in, this behavior will switch to use the user credentials rather the machine account (which is what Admins would like to see), however, the surrogate has been already created using the machine account.

Now the problem comes with any proxy, e.g. WSA. If any background application is capable of NTLM authentication and requires internet communication, but was started BEFORE the user has logged in, then "false" surrogates can be created with such machine names seen in the log (you see a $@ in the logs).

In old times this never became an issue as e.g. Windows XP simply did not allow this and while moving applications over to Vista/Windows7 these still behaved as within XP to be backward compatible. But nowadays more and more application take advantage of the new features and therefore this design problem becomes more and more visible.

Especially with Windows 7 you likely run into this due NSCI which is causing "internet connectivity already at startup".

Best solution here is again to excempt such requests from authentication via e.g. Custom URL or User Agent.

Good news, with 7.5 will come a feature to specifiy a separate surrogate timeout for machine credentials. So it is possible to configure a fairly low value to let such false surrogates if created, fast expire, but still allow the application to use the network.

-Stephan