we have a Endian Firewall and i`m trying to get it to automatically pass the login credentials from the windows 7 clients to the firewall using AD.
I have successfully joined it to the network, and I can see the computer account on my windows Server, but it refuses to pass the login info, when you try to access a site a log in box appears asking for login and password I fill this in (according to my access policy) and it just bounces back as if its the wrong password.
I have tried various things with no luck, I even have one of the techy's from one of our partner schools looking into it, and he seems to get the same results on his test box. I`m using version 2.4.
Cany anybody shed any light on this?
are they macs ? we have endian firewall and it hates the mac NTLM support. Ive not used 2.4 but i know it deffinatly works in 2.3. would you like a screenshot of my domain settings page ? Also you might need to change group policy to allow insecure domain access (or something like that) It took me ages to figure out how to make it work properly
No they are all windows 7 PC's, id love a screen shot of your settings page, iv tried modifying the local policy whether it was that I changed I cant remember now.
Try it with XP. If it works with XP its probably an incompatibility with their version of samba, in which case there's a registry hack somewhere to downgrade Win7's more aggressive NTLM requirements
Right ive done some screenshots. Our domain server is (DT-SERVER) 192.168.1.2 and our domain is DESIGNTECH.SCHOOL (fully qualified). Personally ive had issues with anything above windows 2003 server. Win 7 isnt the issue as we have a test client running as stock and the internet works on that. The error in NTML is between your server and and endian. If its looking then thats because either the credentials arnt ever getting to the server or its rejecting them. For NTML you must use IE. Use a packet sniffer on your server and see if you can see any credentials comming through to the server (tho they will be encrypted) the problem probably lines between different versions of ntlm on your server and what endian expects. check the squid logs aswell eg error.log cos that will tell you if the username was invalid or what. Let me know if you have more issues because ive got other ideas.
This was interesting
Thanks for the screenshots, the only thing I was missing was the DNS routing which iv added, and just in the process of restarting the system.
Iv installed wireshark on the AD server and first initial capture didnt show any packets coming from my client, and that was from an XP machine, I will try again to confirm.
I do get TCP denied errors in the proxy log tho.
Well the information doesnt go straight from the XP client to the Windows Server. It goes like this XP Auth ----> Squid (endian) pass access controls -----> windows server.
Just had another look Wireshark shows communication with the firewall. I can see the firewall sending request to the AD server but, when the ad server replies it show error packets with a STATUS_PIPE_DISCONECTED error
Hmm. Thats new. Im pretty sure thats to do with security settings on AD server. Can show a copy of the error log that squid gives ?
Hope this helps
It does but to find out more i need you to SSH in to the endian box and get /var/logs/squid/error.log and paste it here because the log you shown is access.log
I`m not sure how to actually get the file off the box, if you can talk me through it i`ll do it.
Have you got ssh enabled ? if so download WINSCP (an ssh file manager) and then login that way using your terminal username and password. If not you can enable it on the web interface
Iv already got SSH enabled did it throught the web interface, i`m using Putty
putty wont really help you. If you use WINSCP youll see you entire file structure and can just drag the files to your hard disk.
or do vi (or vim)
send a screenshot of the bottom of that file over
to quit type :q