NTLM poxy proxy

Macs should prompt for credentials between launches of your web browser
On 4/19/11 4:16 PM, "Ben Toms" <bentoms at btopenworld.com> wrote:
but not multiple times in one session. Are you using Safari, Firefox or
something else? Are your users saving their credentials in their keychains?

I've seen a handful of stock photo sites that seem to spur continuous
proxy prompts.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Safari primarily. (need to look more at firefox).

Yammer (or adobe air) prompts constantly.

Passwords are saved to keychain.

Regards,

Ben.

I suspect something's configured with your proxy that's causing this
On 4/19/11 4:35 PM, "Ben Toms" <bentoms at btopenworld.com> wrote:
behavior. Windows machines are probably repeatedly authenticating too but
because of Windows integrated authentication they never see this. Test
with Firefox on Windows and preferably on a Linux or other non-Windows
system to confirm this.

Yammer. What an appropriate name.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Yea it's the NTLM authentication.

I think it works like Kerberos on the pc's.

Firefox has some NTLM support (if you package it).

But it's causing issues elsewhere.

Regards,

Ben.

Hi Ben,

We've seen this in several high profile shops. Websense integrator proposes a Windows-only "solution" of Websense/ISA and the Wintel "manager" buys off on the idea (behind closed doors of course)...then only after it's too late, it's discovered that only PC's can get out and Mac users get endless authentication prompts.

It's not a good solution for mixed platform environments, but the Wintel folks who manage ISA sell the idea behind closed doors...then it's the Mac guy's problem. :(

We worked with Heath (Authoxy) for some years through different environments, never worked.

The only real solution is to enable plain text authentication for Macs...segregation...segregation...segregation....

(then shine a nice bright light on the Wintel person who flipped the Mac environment the bird and implemented this very broken solution - which is only suitable for 100% Wintel environments).

I had several bug reports submitted to Apple (Radar) over the years, none were ever resolved...and now that we've got a lot of leverage with Microsoft (to the tune of 200,000+ Wintel clients across different global environments we manage/support), I've got requests in to them for ISA client for Mac OS X. The response from Microsoft so far..."nobody else is asking for it"...so....

Don

We've run Websense in our district for a little over 3 years, however, we also run ADmitMac (DFS mainly) and our users are not prompted. The only problem we've had is Websense will sometime remember the credentials of the last person to login for an extended period of time, well after that user has logged out.

Example:

limited-user logs in, works, logs out.
admin-user logs in, works, websense still treats the connection as a limited user for a while.

Having said that, we're rolling out Forefront TMG, because Websense's HTTPS filtering is outrageous compared to TMG, which is part of our enterprise agreement. (client licenses at least).

Daniel

We used ISA + websense for awhile, it worked well except some streaming sites had to be manually allowed on the ISA because of prompting issues (the list just grew and grew and was not easy to maintain).

As a side note - can we do a quick poll on what web filtering company you guys use (if not websense)?

Thanks daniel.

How do your users authenticate to the proxy? I've been told by the guy that looks after websense that it's setup to use NTLM. I'm not sure what other options are available & I'd like to present a solution to him using his terminology!

Regards,

Ben.

The difference is we didn't use ISA. We only used Websense as a webfilter. Basically, using it as a network sniffer, and if the site was allowed, traffic was passed. If not, the Websense block page was sent.

Hence the reason we're moving to TMG.

Thanks.

We're using ISA as access is based on ad groups & some sites access is time restricted.

Previously I've used websense with the password override option.

Never used it this way.

Regards,

Ben.

We use websense here, but we don't authenticate to it.

I remember some months ago when it was turned on; none of the Macs could reach the Internet anymore. InDesign and Acrobat still lock up while they try to access the Internet (InDesign has a little thing in its intro window that loads from the Internet, Acrobat locks up when it checks for updates). We resolve both problems by disabling the part that uses Internet access, but this is not a real solution. We've also found that we are unable to set up a single Airport configuration that provides Internet access for our intranet wireless and our guest wireless. And of course this is something that requires an admin to fix.

*sigh* Sorry for venting here; It's been loads of fun dealing with all this. I wish they'd thought to test the various non-Wintel devices before switching to websense.

Thanks for sharing your experience.

Pretty much what I've been seeing.

It worked well at previous employer as they allowed people to password override sites. Shame it won't work here.

Anyone have idea how to capture the url's the apps need so we can exlude them?

Regards,

Ben.

Answering my own question.

Wireshark & port 80 dumps.

Regards,

Ben.

So my moaning may have yielded a result.

I've been allowed to look at a proxy for the macs here. Anyone got any recommendations? We need to control access based on users & ad groups.

So something kerberized should work.

Regards,

Ben.

Hey @bentoms

What did you end up going with?

My company is doing some new POC's for a new proxy and I would like to make sure we test a few that are Mac friendly.

Thanks!

Chris

@csanback In the end, we moved to a kerberised proxy