+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Internet Related/Filtering/Firewall Thread, Office 2013 displays a LOT of credential prompts with Smoothwall on NTLM in Technical; Our Smoothwall is configured for NTLM authentication, and this generally works fine for us. However, with Office 2013, I'm seeing ...
  1. #1

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395

    Office 2013 displays a LOT of credential prompts with Smoothwall on NTLM

    Our Smoothwall is configured for NTLM authentication, and this generally works fine for us. However, with Office 2013, I'm seeing a LOT of requests for proxy auth credentials:



    The hostname varies, and the request will appear just by opening documents, or even just by opening Excel with a blank document. I've already added the following to our noauth lists, which has eliminated most of the auth requests:

    Code:
    officeimg.vo.msecnd.net
    office.microsoft.com
    odc.officeapps.live.com
    However, I've just found that clicking any URL in a document, or in OneNote, will prompt for credentials (unless the site is on the noauth list). In this case, the hostname listed after "Connecting to proxy server" is always the host specified in the URL.

    If I supply valid credentials, Office just asks for them again, as if they are invalid. However, if I click cancel, the URL then passes to IE and opens fine.

    I know Office 2010 was picky with NTLM auth (YouTube embedding never worked for us, for example), but it never prompted just for clicking on a link before. Office 2013 does, and I can't deploy it like this.

    Suggestions?
    Attached Images Attached Images

  2. #2

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,137
    Thank Post
    917
    Thanked 1,524 Times in 1,037 Posts
    Blog Entries
    47
    Rep Power
    655
    I have no idea if this will help but it doesn't sound a million miles away from problems I've been having with Moodle, NTLM & Office 2010.

    Does stopping the WebClient service make the prompts go away?

    Hotfixes that seemed relevant (although they didn't solve my problem, they may shed light on your issue): Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer and Problems may occur when you try to open an Office document from a Web site hyperlink in a 2007 Office application

  3. Thanks to sonofsanta from:

    AngryTechnician (7th November 2012)

  4. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,610
    Thank Post
    730
    Thanked 1,688 Times in 1,502 Posts
    Rep Power
    433
    Would switching to kerberos auth work?

    Ben

  5. Thanks to plexer from:

    AngryTechnician (7th November 2012)

  6. #4

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    Quote Originally Posted by sonofsanta View Post
    Does stopping the WebClient service make the prompts go away?
    The WebClient service wasn't started when I checked it. Starting it had no effect on the problem.

    Quote Originally Posted by plexer View Post
    Would switching to kerberos auth work?
    That's top of my list of things to try this afternoon. Any hints on side-effects this might have?

  7. #5

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,610
    Thank Post
    730
    Thanked 1,688 Times in 1,502 Posts
    Rep Power
    433
    Quote Originally Posted by AngryTechnician View Post
    The WebClient service wasn't started when I checked it. Starting it had no effect on the problem.



    That's top of my list of things to try this afternoon. Any hints on side-effects this might have?
    I haven't tried it

    Ben

  8. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,137
    Thank Post
    917
    Thanked 1,524 Times in 1,037 Posts
    Blog Entries
    47
    Rep Power
    655
    Quote Originally Posted by AngryTechnician View Post
    The WebClient service wasn't started when I checked it. Starting it had no effect on the problem.

    That's top of my list of things to try this afternoon. Any hints on side-effects this might have?
    If it wasn't started then nevermind; turning it off would have been the fix. WebClient is the newer way of authorizing that sometimes causes problems (according to those kb articles), turn it off and it falls back to older methods. This is why clicking Cancel works - it gives up trying whatever auth method it's using and uses an older method that does work, hence you then get the page load.

    Kerberos auth worked fairly smoothly for me, any user specific rules you have set up will need updating from username to username@domain.local, and make sure your Smoothie is fully up to date as some updates came out earlier this week that helped improve it. Any Local Users you have set up to override specific user group membership won't work, but you can set Guardian policies against specific users fine (once you're updated). I had an issue with my staff AD group not mapping to the Smoothwall group, but relinking Smoothwall to another AD group containing all staff made that work again.

    Think that was everything that came up for me, easiest way to test is just to set up a new auth policy on a new port and then change your proxy settings on a test machine to use that port instead.

  9. Thanks to sonofsanta from:

    OverWorked (27th November 2012)

  10. #7

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    OK, testing with Kerberos on an alternate port eliminates the problem, so that looks like the way forward. Will do some further testing and update if there are any problems.

  11. #8

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    OK, just to report back: switching to Kerberos was relatively pain-free and is working well for us. Sticking with NTLM just wasn't feasible due to the above problem, so I suspect anyone who runs into the same problem will find that switching auth method is the only realistic solution.

  12. 3 Thanks to AngryTechnician:

    Duke5A (23rd November 2012), OverWorked (27th November 2012), zag (21st November 2012)

  13. #9
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    818
    Thank Post
    84
    Thanked 136 Times in 116 Posts
    Blog Entries
    8
    Rep Power
    32
    We haven't moved to Office 2013 yet, but I've already started to see issues like this. Out of the blue Outlook 2010 seemingly at random starts asking for user credentials. Same symptoms as you described: asking for credentials, no matter what you give it it fails, and clicking cancel makes it work. I didn't think that it might be trying to make a web connection. I guess I'll be moving my Squid boxes over to Kerberos next week.

  14. #10
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,022
    Thank Post
    200
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Quote Originally Posted by AngryTechnician View Post
    OK, just to report back: switching to Kerberos was relatively pain-free and is working well for us. Sticking with NTLM just wasn't feasible due to the above problem, so I suspect anyone who runs into the same problem will find that switching auth method is the only realistic solution.
    What exactly did you do to switch Smoothwall over to Kerberos?

    I'm looking at Web proxy » Authentication » Manage policies.

    Do I just change the non-transparent auth from NTLM (TS compatible) to Kerberos (TS compatible)?

    Is there anything else?

    Thanks.

  15. #11

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    OK, bringing together advice from a few different threads:

    - DO NOT just change your auth setting from NTLM to Kerberos. It will probably not work, and I will point and laugh at you. Set up a new auth policy on a different port number and test Kerberos with a range of users first. Then test it again. Only once you are satisfied it is working should you change the auth setting on the port that your workstations are configured to use by default.

    - The main prerequisite to using Kerberos as an auth method is for Smoothwall to be joined to your domain in Services » Authentication » Settings using the "Active Directory" type, instead of the "Active Directory (legacy method)" type. If you don't see the legacy method as an option, you need to run updates on your Smoothwall.

    - Once you change from the legacy type to the new type, all users must log off and back on before their Kerberos token will be recognised by Smoothwall. Any users who logged on to their workstations before you switched to the new type will fail to authenticate to Smoothwall.

    - Before you even get around to testing Kerberos on workstation, go to Services » Authentication » Control and run the configuration checks. Anything without a green tick next to it should be corrected first. Also, if you don't see a line with "Keytab created" and a green tick, Kerberos is not set up.

    - Any user-specific policies will need to be edited to reflect that the username will be reported as user@domain.whatever instead of just user

    - The current Kerberos implementation on the Smoothwall does not correctly process usernames with spaces in. I believe this has been raised for a future patch, but for now, the only workaround at present is to rename user accounts so they have no space (luckily we only had 22 affected accounts).

    - Local users on the workstation (such as the local admin account) will not be able to authenticate at all using Kerberos, and will have to use different proxy settings if you need access.

    - Kerberos normally works better than NTLM (which is of course why I switched to it for use with Office 2013), but some software will still choke. Notably, Java works with NTLM but does not work with Kerberos. Until this is fixed (don't hold your breath), you will need to provide a separate NTLM port for Java to use. You can specify different proxy setting for Java using Java's deployment.config file.
    Last edited by AngryTechnician; 27th November 2012 at 04:10 PM.

  16. 4 Thanks to AngryTechnician:

    Celador (28th November 2012), Jollity (12th April 2013), OverWorked (27th November 2012), zag (19th September 2013)

  17. #12
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,022
    Thank Post
    200
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Thanks very much, AngryTechnician! I just switched it over before you posted, and it all appears to work. The sky hasn’t fallen down. Here’s my experience, so far.

    - DO NOT just change your auth setting from NTLM to Kerberos. It will probably not work, and I will point and laugh at you.
    - I did just switch over, and it did work.

    - The main prerequisite to using Kerberos as an auth method is for Smoothwall to be joined to your domain in Services » Authentication » Settings using the "Active Directory" type, instead of the "Active Directory (legacy method)" type.
    I was already on “Active Directory” server type, so was OK.


    - Once you change from the legacy type to the new type, all users must log off and back on before their Kerberos token will be recognised by Smoothwall. Any users who logged on to their workstations before you switched to the new type will fail to authenticate to Smoothwall.
    All I experienced was a brief internet outage. Refreshing web pages got them back. I didn’t need to log off and on again.


    - Before you even get around to testing Kerberos on workstation, go to Services » Authentication » Control and run the configuration checks. Anything without a green tick next to it should be corrected first. Also, if you don't see a line with "Keytab created" and a green tick, Kerberos is not set up.
    All green, so OK. And still all green after switching to Kerberos.


    - Any user-specific policies will need to be edited to reflect that the username will be reported as user@domain.whatever instead of just user
    I don’t have any user-specific policies, so OK.


    - The current Kerberos implementation on the Smoothwall does not correctly process usernames with spaces in. I believe this has been raised for a future patch, but for now, the only workaround at present is to rename user accounts so they have no space (luckily we only had 22 affected accounts).
    I don’t have any usernames with spaces, so OK.


    - Local users on the workstation (such as the local admin account) will not be able to authenticate at all using Kerberos, and will have to use different proxy settings if you need access.
    I don’t have any local users, so OK.


    - Kerberos normally works better than NTLM (which is of course why I switched to it for use with Office 2013), but some software will still choke. Notably, Java works with NTLM but does not work with Kerberos. Until this is fixed (don't hold your breath), you will need to provide a separate NTLM port for Java to use. You can specify different proxy setting for Java using Java's deployment.config file.
    Java on websites is becoming increasingly scarce, and I can’t think of any Java applications we have. May have to cross this bridge when I come to it.

    Any applications that struggle with authentication (e.g. Securenet), used another port to bypass authentication anyway. So They shouldn't be affected byswitching to Kerberos.

    Office 2013 is now working without any annoyong proxy authentication messages.
    Last edited by OverWorked; 28th November 2012 at 10:46 AM.

  18. #13

    Join Date
    Nov 2012
    Posts
    85
    Thank Post
    4
    Thanked 13 Times in 12 Posts
    Rep Power
    6
    Quote Originally Posted by AngryTechnician View Post
    OK, bringing together advice from a few different threads:
    - The current Kerberos implementation on the Smoothwall does not correctly process usernames with spaces in. I believe this has been raised for a future patch, but for now, the only workaround at present is to rename user accounts so they have no space (luckily we only had 22 affected accounts).
    It has been marked as a bug by smoothwall.

  19. Thanks to arron from:

    Jollity (20th April 2013)

  20. #14

    Join Date
    Nov 2011
    Posts
    219
    Thank Post
    262
    Thanked 23 Times in 19 Posts
    Rep Power
    11
    Quote Originally Posted by arron View Post
    It has been marked as a bug by smoothwall.
    Does anyone know if this has been fixed, or when it might be fixed?

    It could be a major issue for us as most of our user names have spaces in, and we want to start installing Office 2013 soon.

  21. #15

    Join Date
    Nov 2012
    Posts
    85
    Thank Post
    4
    Thanked 13 Times in 12 Posts
    Rep Power
    6
    I checked after main update 53 and it's still broken here. I dont have any idea on when it will sorted, sorry.

  22. Thanks to arron from:

    Jollity (25th April 2013)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. [MS Office - 2013] Microsoft Releases Public Preview Of Office 2013
    By DaveP in forum Office Software
    Replies: 19
    Last Post: 12th October 2012, 01:29 AM
  2. Replies: 0
    Last Post: 11th April 2011, 09:50 PM
  3. Moodle Help! Lots of Teachers!
    By Disorder in forum Virtual Learning Platforms
    Replies: 2
    Last Post: 12th January 2007, 03:55 PM
  4. Replies: 16
    Last Post: 28th July 2006, 02:55 PM
  5. Replies: 4
    Last Post: 14th February 2006, 12:51 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •