This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy asking for authentication credentials

I've got a WS1100  Appliance. My users are being proxied through with a proxy.pac file hosted on one of our servers. We use AD integration to authenticate our users.

My issue is that very randomly a user will call me saying they can't get to any websites. What they have is an authentication box for our WS1100. If they enter their credentials (which is what should be passed automatically) it refuses them 3 times until it gives a "Proxy Authentication Error" page. If I log in with my own credentials however, (which are obviously elevated compared to most of our users), it will let me through.

This happens very randomly, to different users with different access.  Sometimes restarting their machine fixes the problem sometimes logging off and back on fixes it, and sometimes it won't go away without bypassing the proxy altogether.  If

It seems to be a windows problem, as if Windows isn't letting them authenticate. If the ygo to another machine they have no problem. Doesn't seem to be a Sophos problem but I thought maybe someone here has seen a similar issue.

:22157


This thread was automatically locked due to age.
  • Hi,

    This does sound quite unusual.   I'm surprised that your credentials work, but the users does not.  Is the user a member of a different domain to yourself? 

     Unless of course the user isn't actually being authenticated by the proxy, but is being asked for authentication for a different reason.   For example, being required to authenticate in order to download the PAC file itself?   If possible, I'd turn off the PAC file and setup explicit proxy settings for a few users to see if this helps.  This would rule out any problems with the PAC file.

    Also, make sure that DNS is setup correctly for your DCs and the A record of your domain.  If there are some incorrect entries in DNS this could cause intermittent problems.  This article might help:

    http://www.sophos.com/support/knowledgebase/article/112044.html

    Another suggestion could be to disable 'Authenticate All Requests' in 'Configuration | System | Active Directory'.  This means that supported web browsers will only be authenticated every 5 minutes.  Whilst this doesn't help us work out the root cause it could make it much less likely to happen.

    Other than that, it may be best to call in to Sophos support.  They will probably recommend to do a tcp capture / wireshark whilst the issue happens to confirm exactly what is going on.

    Hope this helps,

    Tom.

    :22217
  • I've seen this happen at our organization as well. We have our WS1100's applied in transparent mode using WCCP as well as proxy server configuration for our virtual desktop environment. This usually happens when a user's account gets locked out or their password has expired. If the password did expire, then they should be prompted for a new password after they log out of their system. 

    :24543
  • Did you ever figure this out?  We have a similar problem.  I have noticed that it sometimes happens when a user enters a username and password into a website (different from their network credentials) and then IE tries to pass those credentials to AD, which of course doesn't work.

    :29041
  • Hi NBRHC,

    IE is challenged for authentication by the appliance, but this should happen transparently to the user.  It's actually the appliance which should contact AD. 

    In some circumstances this authentication process could fail (if the account is locked out such as shakthi16 suggested).

    In this case, IE will display a prompt for authentication with the appliance.  Perhaps your users' are unsure whether they are authenticating with the appliance or the website?

    You could try enabling the Captive Portal as a fallback process in Configuration | System | Authentication?
    When authentication with the appliance (AD) fails the user will get a HTML page which makes it clearer they are logging in for internet access.

    If you can reproduce specific examples of this please do call our support team and they can help you get diagnostics to troubleshoot this.

    Thanks,
    Tom.

    :29073