Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 30259 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO Authentication (Standard Mode) suddenly requires authentication for Content Server sites.

ChrisTwigg

Hi All

Yesterday afternoon (03th December aprrox 14:00) most sites that have analytics, which is most. Is all of a sudden asking for credentials.

 

The proxy server has been working perfectly for approx 3 years now without issue or recent change.

 

Original web site http://news.sky.com/entertainment for example.

 

 

I have checked the web log for events and discovered that the user is accepted for the initial site but does not pass credentials for the "Content Server" sites.

 

2015:12:04-12:42:42 utm220-1 httpproxy[23780]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.18.57" dstip="" user="USERNAME" ad_domain="DOMAIN" statuscode="407" cached="0" profile="REF_HttProIt (CARS)" filteraction=" ()" size="2505" request="0xd009000" url="news.sky.com/entertainment" referer="http://news.sky.com/weather" error="" authtime="59" dnstime="0" cattime="0" avscantime="0" fullreqtime="35427" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36" exceptions=""


2015:12:04-12:42:42 utm220-1 httpproxy[23780]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.18.57" dstip="37.252.163.213" user="USERNAME" ad_domain="DOMAIN" statuscode="200" cached="0" profile="REF_HttProIt (CARS)" filteraction="REF_HttCffItAdminist (IT Administrators)" size="0" request="0xe1a41800" url="ams1.ib.adnxs.com/vevent referer="ams1.ib.adnxs.com/if error="" authtime="75" dnstime="442" cattime="124" avscantime="0" fullreqtime="105602" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36" exceptions="" country="Europe" category="154" reputation="neutral" categoryname="Web Ads" application="appnexus" app-id="802"


2015:12:04-12:42:45 utm220-1 httpproxy[23780]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.18.57" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProIt (CARS)" filteraction=" ()" size="2505" request="0xe19cb000" url="pagead2.googlesyndication.com/activeview referer="news.sky.com/entertainment" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="146" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36" exceptions=""

 

Could it be a problem with surf protection?

 

Any Ideas.

 

Many thanks

 

Chris



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember
    I see this has been reported as a widespread issue.
    code.google.com/.../detail
  • 0 in reply to FormerMember
    Hi

    I've seen a couple of cases of this over the last week. As Emile and Gary point out this seems to be specific to Chrome and NTLM authentication, although I haven't had a chance to do any in depth investigation on this.

    In the cases that I have looked at we have made changes to allow Chrome to use Kerberos rather than NTLM auth, which has worked as a workaround. E.g change the browser proxy settings to FQDN rather than IP address.

    However if you are seeing these symptoms in IE as well as Chrome then this may be a red herring. Wireshark can be used to check whether NTLM or Kerberos is being used. If you are still experiencing this issue then let us know and I can provide more information.

    Greg
Reply
  • 0 in reply to FormerMember
    Hi

    I've seen a couple of cases of this over the last week. As Emile and Gary point out this seems to be specific to Chrome and NTLM authentication, although I haven't had a chance to do any in depth investigation on this.

    In the cases that I have looked at we have made changes to allow Chrome to use Kerberos rather than NTLM auth, which has worked as a workaround. E.g change the browser proxy settings to FQDN rather than IP address.

    However if you are seeing these symptoms in IE as well as Chrome then this may be a red herring. Wireshark can be used to check whether NTLM or Kerberos is being used. If you are still experiencing this issue then let us know and I can provide more information.

    Greg
Children
  • 0 in reply to GregH

    The Updates did not fix the issue.

    We tried changing the proxy address to FQDN, but no fix.

    The work around used to fix the issue was to disable "Block access on authentication failure"

    The user and site is still queried against active directory and content filtering.

    I appreciate its no ideal, But......

    We roll out GPO proxy settings which cannot be changed.

    Hope it get's fixed soon.