Help

NTLM poxy proxy

bentoms
Release Candidate Programs Tester

Posted on ‎04-19-2011 02:16 PM

Hi all,

New environment uses Websense as a proxy & they've configured it to use NTLM authentication.

PC's pass thru, Macs prompt for uid, prompt, prompt & prompt. :(

Even saving to keychain & allowing all applications access to the keychain for the proxy still leads to prompts.

Googling seems to lead to programs like: Authoxy that stop the continuous prompts.

How do you guys deal with this issue? Surely, there's another way?

Regards,

Ben.

0 Kudos
16 REPLIES 16

talkingmoose
Moderator
Moderator

Posted on ‎04-19-2011 02:24 PM

Macs should prompt for credentials between launches of your web browser
On 4/19/11 4:16 PM, "Ben Toms" <bentoms at btopenworld.com> wrote:
but not multiple times in one session. Are you using Safari, Firefox or
something else? Are your users saving their credentials in their keychains?

I've seen a handful of stock photo sites that seem to spur continuous
proxy prompts.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-19-2011 02:35 PM

Safari primarily. (need to look more at firefox).

Yammer (or adobe air) prompts constantly.

Passwords are saved to keychain.

Regards,

Ben.

0 Kudos

talkingmoose
Moderator
Moderator

Posted on ‎04-19-2011 03:19 PM

I suspect something's configured with your proxy that's causing this
On 4/19/11 4:35 PM, "Ben Toms" <bentoms at btopenworld.com> wrote:
behavior. Windows machines are probably repeatedly authenticating too but
because of Windows integrated authentication they never see this. Test
with Firefox on Windows and preferably on a Linux or other non-Windows
system to confirm this.

Yammer. What an appropriate name.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-19-2011 03:23 PM

Yea it's the NTLM authentication.

I think it works like Kerberos on the pc's.

Firefox has some NTLM support (if you package it).

But it's causing issues elsewhere.

Regards,

Ben.

0 Kudos

donmontalvo
Esteemed Contributor III

Posted on ‎04-19-2011 05:45 PM

Hi Ben,

We've seen this in several high profile shops. Websense integrator proposes a Windows-only "solution" of Websense/ISA and the Wintel "manager" buys off on the idea (behind closed doors of course)...then only after it's too late, it's discovered that only PC's can get out and Mac users get endless authentication prompts.

It's not a good solution for mixed platform environments, but the Wintel folks who manage ISA sell the idea behind closed doors...then it's the Mac guy's problem. :(

We worked with Heath (Authoxy) for some years through different environments, never worked.

The only real solution is to enable plain text authentication for Macs...segregation...segregation...segregation....

(then shine a nice bright light on the Wintel person who flipped the Mac environment the bird and implemented this very broken solution - which is only suitable for 100% Wintel environments).

I had several bug reports submitted to Apple (Radar) over the years, none were ever resolved...and now that we've got a lot of leverage with Microsoft (to the tune of 200,000+ Wintel clients across different global environments we manage/support), I've got requests in to them for ISA client for Mac OS X. The response from Microsoft so far..."nobody else is asking for it"...so....

Don

--
https://donmontalvo.com
0 Kudos

Not applicable

Posted on ‎04-20-2011 04:59 AM

We've run Websense in our district for a little over 3 years, however, we also run ADmitMac (DFS mainly) and our users are not prompted. The only problem we've had is Websense will sometime remember the credentials of the last person to login for an extended period of time, well after that user has logged out.

Example:

limited-user logs in, works, logs out.
admin-user logs in, works, websense still treats the connection as a limited user for a while.

Having said that, we're rolling out Forefront TMG, because Websense's HTTPS filtering is outrageous compared to TMG, which is part of our enterprise agreement. (client licenses at least).

Daniel

0 Kudos

CasperSally
Valued Contributor II

Posted on ‎04-20-2011 05:05 AM

We used ISA + websense for awhile, it worked well except some streaming sites had to be manually allowed on the ISA because of prompting issues (the list just grew and grew and was not easy to maintain).

As a side note - can we do a quick poll on what web filtering company you guys use (if not websense)?

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-20-2011 05:50 AM

Thanks daniel.

How do your users authenticate to the proxy? I've been told by the guy that looks after websense that it's setup to use NTLM. I'm not sure what other options are available & I'd like to present a solution to him using his terminology!

Regards,

Ben.

0 Kudos

Not applicable

Posted on ‎04-20-2011 06:05 AM

The difference is we didn't use ISA. We only used Websense as a webfilter. Basically, using it as a network sniffer, and if the site was allowed, traffic was passed. If not, the Websense block page was sent.

Hence the reason we're moving to TMG.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-20-2011 06:53 AM

Thanks.

We're using ISA as access is based on ad groups & some sites access is time restricted.

Previously I've used websense with the password override option.

Never used it this way.

Regards,

Ben.

0 Kudos

Not applicable

Posted on ‎04-20-2011 09:45 AM

We use websense here, but we don't authenticate to it.

I remember some months ago when it was turned on; none of the Macs could reach the Internet anymore. InDesign and Acrobat still lock up while they try to access the Internet (InDesign has a little thing in its intro window that loads from the Internet, Acrobat locks up when it checks for updates). We resolve both problems by disabling the part that uses Internet access, but this is not a real solution. We've also found that we are unable to set up a single Airport configuration that provides Internet access for our intranet wireless and our guest wireless. And of course this is something that requires an admin to fix.

*sigh* Sorry for venting here; It's been loads of fun dealing with all this. I wish they'd thought to test the various non-Wintel devices before switching to websense.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-20-2011 10:47 AM

Thanks for sharing your experience.

Pretty much what I've been seeing.

It worked well at previous employer as they allowed people to password override sites. Shame it won't work here.

Anyone have idea how to capture the url's the apps need so we can exlude them?

Regards,

Ben.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-20-2011 11:07 AM

Answering my own question.

Wireshark & port 80 dumps.

Regards,

Ben.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎04-21-2011 02:50 AM

So my moaning may have yielded a result.

I've been allowed to look at a proxy for the macs here. Anyone got any recommendations? We need to control access based on users & ad groups.

So something kerberized should work.

Regards,

Ben.

0 Kudos

csanback
New Contributor III

Posted on ‎03-07-2017 07:43 AM

Hey @bentoms

What did you end up going with?

My company is doing some new POC's for a new proxy and I would like to make sure we test a few that are Mac friendly.

Thanks!

Chris

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎03-09-2017 02:59 AM

@csanback In the end, we moved to a kerberised proxy

0 Kudos