Lately we've been experiencing some authentication problems.
We're running v7.1.3-021 for Web. Browsers are IE 8 and 9, and FireFox. Desktops XP and Win7. We have one authentication realm setup, using NTLM. We have three domain controllers listed, and the "Test Current Settings" returns no errors.
Things have been working fine for years. The browsers seamless pass auth credentials, never prompting the user. However this past week, some users are randomly getting authentication popups from their browser. It's not particular times or websites. Once they enter their credentials they can resume browsing -- but may be reprompted later in the day.
There have been no recent AD or WSA changes, although this past weekend we did have a power hiccup that caused everything to reboot.
The WSA authentication logs show lots of:
Wed May 23 09:11:25 2012 Info: PROX_AUTH : - : Login for user \@[PCNAME] failed due to [No such user]
And the occasional:
Tue May 22 13:32:42 2012 Info: PROX_AUTH : - : NTLM CRAP authentication for user [DOMAIN1]\[USERNAME] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 12)
Tue May 22 13:32:42 2012 Info: PROX_AUTH : - : Login for user [DOMAIN1]\[USERNAME]@[PCNAME] failed due to [No logon servers]
are you using by chance 2008 AD controllers (with latest patches) ?
With a patchlevel some somewhere early 2012 the netbios authentication on AD has been "discontinued" by Microsoft, but the WSA (pre 7.5) may still try use it. For this short moment the auth fails and will reconnect and probably then use 445 and things work again for awhile. If you make a packet capture on port 139 towards AD in wireshark you will find NBSS negotiations failing:
Message Type: Negative session response
Error code: Called name not presen
This would confirm to run into this issue. Best approach is to make sure that WSA can't communicate with port 139 to active directoy DC's.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...