cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3468
Views
0
Helpful
4
Replies

WSA Authentication Pop Ups

Dave Gimbert
Level 1
Level 1

Hello All

I have 2 x WSA S160 in an active active configuration using a PAC file.

The WSA’s are in transparent mode using NTLM authentication.

Looking through past threads and the manual I have done the following: -

The transparent redirect hostname is a single word hostname on both appliances.

I have configured GPO so that IE has the FQDN of both WSA’s in the Local Intranet Zone

But we still have seemingly random pop up windows requesting authentication to the WSA

Any ideas?

Thanks

4 Replies 4

Juan Ramos
Cisco Employee
Cisco Employee

Dave,

In your Pac file, which proxy does your client bind to in the active/active setup?  Is there a random() math function involved or some kind of load balancing scheme?  Does the re-authentictation prompt appear at a consistent time interval (consistent with your surrogate timeout value)?  if the issue can be recreated, you can grep the accesslogs on both proxies.

Thanks,

Juan

Hi Juan,

Our pac file contains the following line to balance the load between the two Ironport's

return "PROXY iomwsa1.nt.doehle-iom.com:3128; PROXY iomwsa2.nt.doehle-iom.com:3128";

Thanks

Dave

Dave,

From this line we see that your clients will only bind to  iomwsa1.nt.doehle-iom.com as long as it is available.

if you have session cookie surrogate then please let us know the versions of the browsers that produce this pop-up (firefox, ie, chrome).

The authentication prompts could appear if the proxy has to create a new session cookie or if NTLMSSP fails (thus resulting in BASIC auth).

Thanks,

Juan

hallvard.solem
Level 1
Level 1

We have had this issue in two situations:

1.The appliance has had connectivity problems to AD. Firewall issue.. the sessions timed out but the ironport didnt notice it.

2. The proxy service is restarted. I.e when we add a route to the config and press commit changes