+ Post New Thread
Results 1 to 14 of 14
*nix Thread, School Guardian 2008 and ntlm in Technical; I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of ...
  1. #1
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,432
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111

    School Guardian 2008 and ntlm

    I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of nice things in it!

    However I have hit a rather nasty problem. I can't get ntlm authentication/identification to work correctly.

    Does anyone else use this combination successfully?

    As it stands this is whats happening

    User authenticates. Page is requested. Some of the page comes back. I've been talking to support who have helped a bit with the issue (turning on persistant connections seems to help quite a bit) but I've not been able to eliminate it. The content is not currently being filtered.

    I've been working on it tonight as I'm really pushed for time. One interesting thing I did note is that some items appear in the filter request log *exactly* 2 minutes after the original requests. This doesn't seem to happen with no auth, ssl auth or any of the others I would assume.

    Using safari seems to exacerbate the issue, often losing the page style sheets.

  2. #2

    Join Date
    Apr 2007
    Location
    Northumberland
    Posts
    75
    Thank Post
    16
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by DMcCoy View Post
    I've spent the last couple of days trying to get School Guardian 2008 installed and configured. I've found lots of nice things in it!

    However I have hit a rather nasty problem. I can't get ntlm authentication/identification to work correctly.

    Does anyone else use this combination successfully?

    As it stands this is whats happening

    User authenticates. Page is requested. Some of the page comes back. I've been talking to support who have helped a bit with the issue (turning on persistant connections seems to help quite a bit) but I've not been able to eliminate it. The content is not currently being filtered.

    I've been working on it tonight as I'm really pushed for time. One interesting thing I did note is that some items appear in the filter request log *exactly* 2 minutes after the original requests. This doesn't seem to happen with no auth, ssl auth or any of the others I would assume.

    Using safari seems to exacerbate the issue, often losing the page style sheets.
    We had a similar problem when we first installed School Guardian. A workround was to enable ntlm identification (terminal services compat mode) This seemed to do the trick until Smoothwall released an upgrade to fix the problem. We now use ntlm ident with no problems

    Make sure that filtering is applied to the user groups that you wish to filter.

    Have you tried a save and restart with cleared cache?

  3. #3

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,781 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594
    We are using Network Guardian and have also been on the phone tonight with Nick about a similar issue.

    The above fix also worked for us.

  4. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,432
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Hmm, seems to be something a bit like this

    '[squid-users] Squid sends TCP_DENIED/407 even on already authenticated users' - MARC

    In fact on the wikipedia front page I had no formating, and there was a 407 for the main.css file amongst lots of 200s.

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,432
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    The 407 itself is ok, it seems that while IE mostly retries and is successful, Safari often doesn't retry or fails.

    I would blame OS X and ntlm but I've not been able to replicate the issue using ntlm to an ISA proxy. I'll have a go with 10.4 tomorrow anyway.

  6. #6
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Sorry to de-rail, but isn't NTLM just dandy?

  7. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,432
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by ahuxham View Post
    Sorry to de-rail, but isn't NTLM just dandy?
    No

    See attached
    Attached Images Attached Images

  8. #8
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,432
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Going to try ident servers on the windows and macs later instead. That should work

  9. #9

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,343
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    I had several issues with NLTM some users would get asked for a username/password combo via a popup box even though it's not supposed to do this.

    I tried various things as suggested by tech support and I'll be looking into this again when I'm in over the hols.

    Ben

  10. #10
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,999
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106
    Quote Originally Posted by plexer View Post
    I had several issues with NLTM some users would get asked for a username/password combo via a popup box even though it's not supposed to do this.

    I tried various things as suggested by tech support and I'll be looking into this again when I'm in over the hols.

    Ben
    You usually only get that when they are trying to access from more than one machine or they have swopped machines and it hasnt timed out for the old machine yet.

  11. #11
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,013
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    I had a bit of trouble getting it going, but it's worked flawlessly since.

    First of all, I second what Edsa said. Here's a few ideas:-

    services authentication control - do you get all green lights?

    services authentication settings - is it all filled in correctly? If you're using AD, I could PM you a screen shot of mine.

    services authentication user activity - are users being listed?

    system preferences time - is the clock correct? Timezone should be Europe/London. I just manually set my clock - I couldn't get NTP to work. The RTC in the BIOS should be set to GMT (not BST).

  12. #12

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,343
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    Nope definitely not that.

    Ben

  13. #13
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,432
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    With the persistant connections and a rebuild the 407s (without browser retries) have reduced to an acceptable level, at least with low volume testing. Just had one image not show up so far on apples home page (which was quite problematic).

    Hopefully that it will work well enough to keep with ntlm, although I'll be adding ident servers to machine when I reimage

  14. #14


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    I would vaguely wonder about auth timeouts... but then i'd just be tinkering to "see if it does anything"

    Also - if you enable/disable transparent filtering it changes the way NTLM does things (IIRC!).

    We are looking at SPNEGO and all things "post" NTLM, but there aren't really many good, widely used standards for this sort of thang.

SHARE:
+ Post New Thread

Similar Threads

  1. Forensic Software or School Guardian which one
    By Grommit in forum Network and Classroom Management
    Replies: 19
    Last Post: 24th July 2008, 12:55 PM
  2. School Guardian
    By tldees in forum Wireless Networks
    Replies: 3
    Last Post: 12th June 2008, 05:08 PM
  3. Network Guardian 2008 is nice.
    By plexer in forum How do you do....it?
    Replies: 0
    Last Post: 23rd April 2008, 03:29 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •