School Guardian 2008 and ntlm

[DMcCoy]

I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of nice things in it!

However I have hit a rather nasty problem. I can't get ntlm authentication/identification to work correctly.

Does anyone else use this combination successfully?

As it stands this is whats happening

User authenticates. Page is requested. Some of the page comes back. I've been talking to support who have helped a bit with the issue (turning on persistant connections seems to help quite a bit) but I've not been able to eliminate it. The content is not currently being filtered.

I've been working on it tonight as I'm really pushed for time. One interesting thing I did note is that some items appear in the filter request log *exactly* 2 minutes after the original requests. This doesn't seem to happen with no auth, ssl auth or any of the others I would assume.

Using safari seems to exacerbate the issue, often losing the page style sheets.

[edsa]

Quote:

Originally Posted by DMcCoy

I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of nice things in it!

However I have hit a rather nasty problem. I can't get ntlm authentication/identification to work correctly.

Does anyone else use this combination successfully?

As it stands this is whats happening

User authenticates. Page is requested. Some of the page comes back. I've been talking to support who have helped a bit with the issue (turning on persistant connections seems to help quite a bit) but I've not been able to eliminate it. The content is not currently being filtered.

I've been working on it tonight as I'm really pushed for time. One interesting thing I did note is that some items appear in the filter request log *exactly* 2 minutes after the original requests. This doesn't seem to happen with no auth, ssl auth or any of the others I would assume.

Using safari seems to exacerbate the issue, often losing the page style sheets.

We had a similar problem when we first installed School Guardian. A workround was to enable ntlm identification (terminal services compat mode) This seemed to do the trick until Smoothwall released an upgrade to fix the problem. We now use ntlm ident with no problems

Make sure that filtering is applied to the user groups that you wish to filter.

Have you tried a save and restart with cleared cache?

[GrumbleDook]

We are using Network Guardian and have also been on the phone tonight with Nick about a similar issue.

The above fix also worked for us.

[DMcCoy]

Hmm, seems to be something a bit like this

'[squid-users] Squid sends TCP_DENIED/407 even on already authenticated users' - MARC

In fact on the wikipedia front page I had no formating, and there was a 407 for the main.css file amongst lots of 200s.

[DMcCoy]

The 407 itself is ok, it seems that while IE mostly retries and is successful, Safari often doesn't retry or fails.

I would blame OS X and ntlm but I've not been able to replicate the issue using ntlm to an ISA proxy. I'll have a go with 10.4 tomorrow anyway.

[ahuxham]

Sorry to de-rail, but isn't NTLM just dandy?

[DMcCoy]

Quote:

Originally Posted by ahuxham

Sorry to de-rail, but isn't NTLM just dandy?

No

See attached

[DMcCoy]

Going to try ident servers on the windows and macs later instead. That should work

[plexer]

I had several issues with NLTM some users would get asked for a username/password combo via a popup box even though it's not supposed to do this.

I tried various things as suggested by tech support and I'll be looking into this again when I'm in over the hols.

Ben

[ChrisH]

Quote:

Originally Posted by plexer

I had several issues with NLTM some users would get asked for a username/password combo via a popup box even though it's not supposed to do this.

I tried various things as suggested by tech support and I'll be looking into this again when I'm in over the hols.

Ben

You usually only get that when they are trying to access from more than one machine or they have swopped machines and it hasnt timed out for the old machine yet.

[OverWorked]

I had a bit of trouble getting it going, but it's worked flawlessly since.

First of all, I second what Edsa said. Here's a few ideas:-

services » authentication » control - do you get all green lights?

services » authentication » settings - is it all filled in correctly? If you're using AD, I could PM you a screen shot of mine.

services » authentication » user activity - are users being listed?

system » preferences » time - is the clock correct? Timezone should be Europe/London. I just manually set my clock - I couldn't get NTP to work. The RTC in the BIOS should be set to GMT (not BST).

[plexer]

Nope definitely not that.

Ben

[DMcCoy]

With the persistant connections and a rebuild the 407s (without browser retries) have reduced to an acceptable level, at least with low volume testing. Just had one image not show up so far on apples home page (which was quite problematic).

Hopefully that it will work well enough to keep with ntlm, although I'll be adding ident servers to machine when I reimage

[tom_newton]

I would vaguely wonder about auth timeouts... but then i'd just be tinkering to "see if it does anything"

Also - if you enable/disable transparent filtering it changes the way NTLM does things (IIRC!).

We are looking at SPNEGO and all things "post" NTLM, but there aren't really many good, widely used standards for this sort of thang.