UTM 9.165
Web Server: IIS on Windows Server 2008 R2
Active Directory: Windows Server 2008 R2
Client: Windows 2008 R2 with Internet Explorer 10
Under "Definition & Users", I configured an Active Directory "Authentication Server" using an availability group of with two domain controllers. I tested authentication. No problems.
Under "Webserver Protection", under "Web Application Firewall", I configured a real webserver behind the UTM. I configured a virtual webserver that passes the host header and with no firewall profile, and associated it with the real webserver. All communication is 443 with trusted certificates. My client is prompted for basic authentication and gets to the page after entering credentials. No problems.
Under "Webserver Protection", under "Reverse Authentication", I created a new reverse authentication profile with a frontend mode of "Form", a Frontend realm of the AD domain name (e.g.: mydomain.com) that I configured the authentication server for earlier, and set the backend mode to "Basic", which is the authentication method configured (and working) in IIS. I added the "Active Directory Users" group to the "Users / Groups" list.
Back under "Webserver Protection", under "Web Application Firewall", I modified the (root) Site Path Route for the webserver I created earlier to use reverse authentication with the profile I just created.
Now, my browser gets the form and I am able to enter an ID and password, the password seems to work, but then I get prompted for basic authentication by the backend.
Errors and warning appear in the log:
[FONT="Courier New"][SIZE="1"]2013:11:01-08:40:35 sophos reverseproxy: [Fri Nov 01 08:40:35.059832 2013] [reverse_auth:error] [pid 869:tid 4014197616] [client 50.165.227.162:16846] could not find username note, referer: https://test1.MYDOMAIN.COM/MYDOMAIN.COM_form
2013:11:01-08:40:35 sophos reverseproxy: [Fri Nov 01 08:40:35.064322 2013] [cookie:warn] [pid 869:tid 4014197616] [client 50.165.227.162:16846] Dropping cookie 'MYDOMAIN.COM_cookie' from request due to missing/invalid signature, referer: https://test1.MYDOMAIN.COM/MYDOMAIN.COM_form
2013:11:01-08:40:35 sophos reverseproxy: srcip="50.165.227.162" localip="129.105.233.208" size="641" user="myuser" host="50.165.227.162" method="GET" statuscode="401" reason="-" extra="-" exceptions="-" time="173960" url="/" server="test1.MYDOMAIN.COM" referer="test1.MYDOMAIN.COM/.../"
2013:11:01-08:40:55 sophos reverseproxy: [Fri Nov 01 08:40:55.421096 2013] [reverse_auth:error] [pid 869:tid 3997412208] [client 50.165.227.162:16850] could not find username note, referer: https://test1.MYDOMAIN.COM/MYDOMAIN.COM_form
2013:11:01-08:40:55 sophos reverseproxy: srcip="50.165.227.162" localip="129.105.233.208" size="108" user="myuser" host="50.165.227.162" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="423676" url="/" server="test1.MYDOMAIN.COM" referer="test1.MYDOMAIN.COM/.../FONT]
If I enter bad credentials in the form, I get a blank form back, which suggests that good credentials are being accepted by the form before I get prompted by the backend basic authentication. Why are the credentials not being passed to the backend correctly? What am I doing wrong?
Guest User!
You are not Sophos Staff.
