+ Post New Thread
Results 1 to 14 of 14
*nix Thread, School Guardian 2008 and ntlm in Technical; I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of ...
  1. #1
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110

    School Guardian 2008 and ntlm

    I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of nice things in it!

    However I have hit a rather nasty problem. I can't get ntlm authentication/identification to work correctly.

    Does anyone else use this combination successfully?

    As it stands this is whats happening

    User authenticates. Page is requested. Some of the page comes back. I've been talking to support who have helped a bit with the issue (turning on persistant connections seems to help quite a bit) but I've not been able to eliminate it. The content is not currently being filtered.

    I've been working on it tonight as I'm really pushed for time. One interesting thing I did note is that some items appear in the filter request log *exactly* 2 minutes after the original requests. This doesn't seem to happen with no auth, ssl auth or any of the others I would assume.

    Using safari seems to exacerbate the issue, often losing the page style sheets.

  2. #2

    Join Date
    Apr 2007
    Location
    Northumberland
    Posts
    75
    Thank Post
    16
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by DMcCoy View Post
    I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of nice things in it!

    However I have hit a rather nasty problem. I can't get ntlm authentication/identification to work correctly.

    Does anyone else use this combination successfully?

    As it stands this is whats happening

    User authenticates. Page is requested. Some of the page comes back. I've been talking to support who have helped a bit with the issue (turning on persistant connections seems to help quite a bit) but I've not been able to eliminate it. The content is not currently being filtered.

    I've been working on it tonight as I'm really pushed for time. One interesting thing I did note is that some items appear in the filter request log *exactly* 2 minutes after the original requests. This doesn't seem to happen with no auth, ssl auth or any of the others I would assume.

    Using safari seems to exacerbate the issue, often losing the page style sheets.
    We had a similar problem when we first installed School Guardian. A workround was to enable ntlm identification (terminal services compat mode) This seemed to do the trick until Smoothwall released an upgrade to fix the problem. We now use ntlm ident with no problems

    Make sure that filtering is applied to the user groups that you wish to filter.

    Have you tried a save and restart with cleared cache?

  3. #3

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,881
    Thank Post
    1,316
    Thanked 1,738 Times in 1,087 Posts
    Blog Entries
    19
    Rep Power
    563
    We are using Network Guardian and have also been on the phone tonight with Nick about a similar issue.

    The above fix also worked for us.

  4. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    Hmm, seems to be something a bit like this

    '[squid-users] Squid sends TCP_DENIED/407 even on already authenticated users' - MARC

    In fact on the wikipedia front page I had no formating, and there was a 407 for the main.css file amongst lots of 200s.

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    The 407 itself is ok, it seems that while IE mostly retries and is successful, Safari often doesn't retry or fails.

    I would blame OS X and ntlm but I've not been able to replicate the issue using ntlm to an ISA proxy. I'll have a go with 10.4 tomorrow anyway.

  6. #6
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Sorry to de-rail, but isn't NTLM just dandy?

  7. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    Quote Originally Posted by ahuxham View Post
    Sorry to de-rail, but isn't NTLM just dandy?
    No

    See attached
    Attached Images Attached Images

  8. #8
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    Going to try ident servers on the windows and macs later instead. That should work

  9. #9

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,965
    Thank Post
    587
    Thanked 1,494 Times in 1,340 Posts
    Rep Power
    397
    I had several issues with NLTM some users would get asked for a username/password combo via a popup box even though it's not supposed to do this.

    I tried various things as suggested by tech support and I'll be looking into this again when I'm in over the hols.

    Ben

  10. #10
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104
    Quote Originally Posted by plexer View Post
    I had several issues with NLTM some users would get asked for a username/password combo via a popup box even though it's not supposed to do this.

    I tried various things as suggested by tech support and I'll be looking into this again when I'm in over the hols.

    Ben
    You usually only get that when they are trying to access from more than one machine or they have swopped machines and it hasnt timed out for the old machine yet.

  11. #11
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,003
    Thank Post
    195
    Thanked 42 Times in 34 Posts
    Rep Power
    29
    I had a bit of trouble getting it going, but it's worked flawlessly since.

    First of all, I second what Edsa said. Here's a few ideas:-

    services authentication control - do you get all green lights?

    services authentication settings - is it all filled in correctly? If you're using AD, I could PM you a screen shot of mine.

    services authentication user activity - are users being listed?

    system preferences time - is the clock correct? Timezone should be Europe/London. I just manually set my clock - I couldn't get NTP to work. The RTC in the BIOS should be set to GMT (not BST).

  12. #12

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,965
    Thank Post
    587
    Thanked 1,494 Times in 1,340 Posts
    Rep Power
    397
    Nope definitely not that.

    Ben

  13. #13
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    With the persistant connections and a rebuild the 407s (without browser retries) have reduced to an acceptable level, at least with low volume testing. Just had one image not show up so far on apples home page (which was quite problematic).

    Hopefully that it will work well enough to keep with ntlm, although I'll be adding ident servers to machine when I reimage

  14. #14


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,448
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194
    I would vaguely wonder about auth timeouts... but then i'd just be tinkering to "see if it does anything"

    Also - if you enable/disable transparent filtering it changes the way NTLM does things (IIRC!).

    We are looking at SPNEGO and all things "post" NTLM, but there aren't really many good, widely used standards for this sort of thang.

SHARE:
+ Post New Thread

Similar Threads

  1. Forensic Software or School Guardian which one
    By Grommit in forum Network and Classroom Management
    Replies: 19
    Last Post: 24th July 2008, 12:55 PM
  2. School Guardian
    By tldees in forum Wireless Networks
    Replies: 3
    Last Post: 12th June 2008, 05:08 PM
  3. Network Guardian 2008 is nice.
    By plexer in forum How do you do....it?
    Replies: 0
    Last Post: 23rd April 2008, 03:29 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •