Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 1855 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTLM/Kerberos authenticating device instead of user

David Ashcroft

So since today only, we are having a strange issue, where users are getting authenticated by devices instead of username. 

This is how it should look, and for most users it is correct it seems.

So the above, its basically their username@company.net which works fine.

But some users are getting authenticated by device, like this:

I've never seen this before, but its blocking all web access since we use web policies that block web access if the user is not in specific AD groups. Obviously as a computer object, these are not going to be in the correct groups.

Any reason this would be happening? Seems to happen more in Chrome than other browsers too.



This thread was automatically locked due to age.
Parents
  • 0

    Hi ,

    Below could be possible reason: 

    If a device connects to the Internet before a user logs in (for example, for an Anti Virus Update or a Windows System Update) or any other request, it is considered as a valid NTLM request. In this case, XG webproxy/auth service prompts the device for authentication, to which the device responds with an NTLM Negotiate Message. This message contains the Machine Name and credentials using which it authenticates with (NTLM Server).

    This is the possible reason, XG takes up the device’s Machine Name as the username, and hence you see the Machine Name in the Live Users list.

    Once the user logs in, Browse the traffic from browser- the Machine Name should/must get replaced by the actual username. If this is not happening then this required support investigation with required services in debug to confirm more on issue.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Reply
  • 0

    Hi ,

    Below could be possible reason: 

    If a device connects to the Internet before a user logs in (for example, for an Anti Virus Update or a Windows System Update) or any other request, it is considered as a valid NTLM request. In this case, XG webproxy/auth service prompts the device for authentication, to which the device responds with an NTLM Negotiate Message. This message contains the Machine Name and credentials using which it authenticates with (NTLM Server).

    This is the possible reason, XG takes up the device’s Machine Name as the username, and hence you see the Machine Name in the Live Users list.

    Once the user logs in, Browse the traffic from browser- the Machine Name should/must get replaced by the actual username. If this is not happening then this required support investigation with required services in debug to confirm more on issue.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Children
No Data
Unfiltered HTML