Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 1858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTLM/Kerberos authenticating device instead of user

David Ashcroft

So since today only, we are having a strange issue, where users are getting authenticated by devices instead of username. 

This is how it should look, and for most users it is correct it seems.

So the above, its basically their username@company.net which works fine.

But some users are getting authenticated by device, like this:

I've never seen this before, but its blocking all web access since we use web policies that block web access if the user is not in specific AD groups. Obviously as a computer object, these are not going to be in the correct groups.

Any reason this would be happening? Seems to happen more in Chrome than other browsers too.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Could you please provide access_server logs in debugging while you replicate this issue? 

    It is only observed if the user uses google chrome? What is the current firmware version on your firewall? 

    Thanks,

  • 0

    Hi ,

    Below could be possible reason: 

    If a device connects to the Internet before a user logs in (for example, for an Anti Virus Update or a Windows System Update) or any other request, it is considered as a valid NTLM request. In this case, XG webproxy/auth service prompts the device for authentication, to which the device responds with an NTLM Negotiate Message. This message contains the Machine Name and credentials using which it authenticates with (NTLM Server).

    This is the possible reason, XG takes up the device’s Machine Name as the username, and hence you see the Machine Name in the Live Users list.

    Once the user logs in, Browse the traffic from browser- the Machine Name should/must get replaced by the actual username. If this is not happening then this required support investigation with required services in debug to confirm more on issue.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0

    So I think I have figured out what is causing this. Recently we have changed our DHCP servers to include option 252 in our scope options which is the URL to a WPAD.dat file for our proxy configuration.

    Previously we have specified our proxy config file as a group policy on login. So I think what is happening is that devices are getting IP addresses prior to login, and so they are being authenticated to our XG via the device name because there is no user logged in at the point of getting the IP address.

    Is there any way to prevent this from happening? Or can I force the device to re-auth on login using something in GPO, or a script or something else? 

    Thanks.

Unfiltered HTML