EFW 3.X & AD asks for User Name / Password

[Guest]

[Manit]

Dear All,

I'm EFW fan and I've been using it since very long (can't remember how long).
I deployed to my small size network customers without any problem for many years.

Here are my standard configuration:
1. Windows Server 2008 as AD with INTERNET_USERS_GROUP pre-defined on AD.
2. EFW joined to AD / client access to the internet via proxy with NTLM + Web Filter + Access Policy
3. on EFW Web Filter / Page Filter I've 'TURN-ON' some un-related to office work categories on  such as "Chat, Games, Hacking & Warez"  etc.  

But as far as I'm testing on EFW 3 including the latest one "EFW-COMMUNITY-3.0.5-beta1-devel-201504071248.iso"

Problem :
"Sometime" at user client PC the Authentication user log-on screen just pops up and asks for User Name & Password.
Since I've tested, seem like it pops up when user go to some blocked sites (defined on Web Filter).

I'm facing on this problem since version 3 released and can't get issue resolve.

Please help.

Thank You

[dda]

Have experienced that... very annoying.  It actually stops you from loading an allowed page if you try to subsequently.  I switched to LDAP and it solved that and a  other problems.

[burja2]

I've seen something written in the reference manual regarding a setting to be altered in group policies (gpedit.msc) to address an issue similar to the one you are describing on client side.

NTLM authentication with Windows Vista and Windows 7.

The HTTP Proxy in the Endian UTM Appliance uses negotiated NTLMv2, while both Windows Vista and Windows 7 allow by default only straight NTLMv2. As a result, a client installing those operating systems may fail to authenticate to the HTTP proxy even when supplying the correct credentials. The following changes to the client configuration are required to correctly authenticate:

        Start ‣ gpedit.msc (run as administrator)
        Go to: Computer configuration ‣ Windows Settings ‣ Security Settings ‣ Local Policies ‣ Security Options
        Find the configuration option Network Security: LAN MANAGER Authentication Level
        Select the value “Send LM * NTLM - use NTLMv2 session security if negotiated”

After applying these changes the client browser should correctly authenticate using the AD Login Name / Credentials for the HTTP Proxy.

[Juarez1972]

I have the same problem. I tried it and don't works. I tried too:
# chgrp squid /var/cache/samba/winbindd_privileged
# chmod 750 /var/cache/samba/winbindd_privileged
and don't works.
Some machines are linux and some Windows is standalone. Everething ask for password if user is not in the group that have permissions.
I tried change de rules order but don't run too. The problem is the Access Policy rules.
Somebody can help me?

[Juarez1972]

To works without being asked password at no time did the lock without relating to a group (no authentication required).
Only release was made by AD user group.
The Access Policy looked like this:
3 filter using 'social_networks_rules' GREEN .facebook.com .youtube.com .twitter.com .pinterest.com .netflix.com .ytimg.com social_networks_group Always ANY
4 Access denied GREEN .facebook.com .youtube.com .twitter.com .pinterest.com .netflix.com .ytimg.com .linkedin.com Not required Always ANY
Thank you all.

[Dumisani]

Please help i have setup endian community firewall. firewall only shows outgoing mails at mail queue but not for incoming mail.

[Atmotmefe]

I used to be able to save my password & user name.  Starting today, I cant.  Is there something I have to do?

[cocoalcazar]

    
Re: EFW 3.X & AD asks for User Name / Password
« Reply #2 on: June 10, 2015, 02:16:23 PM »
   Reply with quote
I've seen something written in the reference manual regarding a setting to be altered in group policies (gpedit.msc) to address an issue similar to the one you are describing on client side.

NTLM authentication with Windows Vista and Windows 7.

The HTTP Proxy in the Endian UTM Appliance uses negotiated NTLMv2, while both Windows Vista and Windows 7 allow by default only straight NTLMv2. As a result, a client installing those operating systems may fail to authenticate to the HTTP proxy even when supplying the correct credentials. The following changes to the client configuration are required to correctly authenticate:

        Start ‣ gpedit.msc (run as administrator)
        Go to: Computer configuration ‣ Windows Settings ‣ Security Settings ‣ Local Policies ‣ Security Options
        Find the configuration option Network Security: LAN MANAGER Authentication Level
        Select the value “Send LM * NTLM - use NTLMv2 session security if negotiated”

After applying these changes the client browser should correctly authenticate using the AD Login Name / Credentials for the HTTP Proxy.





Does this method work?