WSA Authentication Pop Ups

Dave Gimbert · ‎03-24-2011

Hello All

I have 2 x WSA S160 in an active active configuration using a PAC file.

The WSA’s are in transparent mode using NTLM authentication.

Looking through past threads and the manual I have done the following: -

The transparent redirect hostname is a single word hostname on both appliances.

I have configured GPO so that IE has the FQDN of both WSA’s in the Local Intranet Zone

But we still have seemingly random pop up windows requesting authentication to the WSA

Any ideas?

Thanks

Juan Ramos · ‎03-25-2011

Dave,

In your Pac file, which proxy does your client bind to in the active/active setup? Is there a random() math function involved or some kind of load balancing scheme? Does the re-authentictation prompt appear at a consistent time interval (consistent with your surrogate timeout value)? if the issue can be recreated, you can grep the accesslogs on both proxies.

Thanks,

Juan

Dave Gimbert · ‎04-04-2011

Hi Juan,

Our pac file contains the following line to balance the load between the two Ironport's

return "PROXY iomwsa1.nt.doehle-iom.com:3128; PROXY iomwsa2.nt.doehle-iom.com:3128";

Thanks

Dave

Juan Ramos · ‎04-04-2011

Dave,

From this line we see that your clients will only bind to iomwsa1.nt.doehle-iom.com as long as it is available.

if you have session cookie surrogate then please let us know the versions of the browsers that produce this pop-up (firefox, ie, chrome).

The authentication prompts could appear if the proxy has to create a new session cookie or if NTLMSSP fails (thus resulting in BASIC auth).

Thanks,

Juan

hallvard.solem · ‎04-07-2011

We have had this issue in two situations:

1.The appliance has had connectivity problems to AD. Firewall issue.. the sessions timed out but the ironport didnt notice it.

2. The proxy service is restarted. I.e when we add a route to the config and press commit changes