Solutions

Computer-based authentication / authorization fails with Integrated Web Authentication (IWA)

Solutions ID:    KB4282
Version:    7.0
Status:    Published
Published date:    02/03/2011
Updated:    09/05/2013
 

Problem Description

Certain applications / User-Agents will perform authentication with their computer accounts. This is generally observed with Windows Vista and Windows 7. Computer accounts are similar to user accounts in several ways – they have a password, and they can belong to groups. However, by default, computer accounts belong only to the 'Domain Computers' group.

For example, the Windows Update agent may authenticate with the computer's account and result in forbidden/denied access :

Hypertext Transfer Protocol
    HEAD http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?xxxxxxxxxx HTTP/1.1\r\n
    Accept: */*\r\n
    User-Agent: Windows-Update-Agent\r\n
    Proxy-Connection: Keep-Alive\r\n
    Host: download.windowsupdate.com\r\n
    [truncated] Proxy-Authorization: NTLM         NTLM Secure Service Provider
            NTLMSSP identifier: NTLMSSP
            NTLM Message Type: NTLMSSP_AUTH (0x00000003)
            Lan Manager Response: 000000000000000000000000000000000000000000000000
            NTLM Client Challenge: 0000000000000000
            NTLM Response: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
            NTLM Client Challenge: xxxxxxxxxxxxxxxx
            Domain name: KLDEV
            User name: BLUECOAT1$           <<<<< Computer Account / Host name is sent as the username
            Host name: BLUECOAT1            <<<<< Computer hostname
            Session Key: Empty
            Flags: 0xa2888205
            Version 6.1 (Build 7600); NTLM Current Revision 15
            MIC: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Cookie: BCSI-CS-XXXXXXXXXXXXXXXX=X\r\n
    \r\n

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 572

 

Resolution

If your organization's security policy allows computer authenticated accounts to access the Internet, the following policy should address the problem.

<Proxy>
        realm="IWA_Realm_Name" group="DOMAIN\Domain Computers" ALLOW

or

<Proxy>
        realm="IWA_Realm_Name" group="DOMAIN\Domain Computers" user.login.log_out(yes)

The 'Domain Computers' is available as a source Group object in the VPM's Web Access Layer, similar as other group objects. Hence, the CPL above can also be applied fom the VPM.

Important

Do not use any IP-based surrogate such as Proxy-IP for authentication because the ProxySG may not reauthenticate user traffic within the cached duration. If you need to use an IP-based surrogate, use the user.login.log_out(yes) policy above.

 

 

Related article:

KB3459


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question