Blog |Follow Nick on Twitter| About
 

Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!

To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:

!- BEGIN authentication
security iwa create-realm uk 10.10.10.10 16101
security iwa edit-realm uk ;mode
alternate-server 10.10.10.11 16101
exit
security iwa create-realm ukBasicAuth 10.10.10.10 16101
security iwa edit-realm ukBasicAuth ;mode
alternate-server 10.10.10.11 16101
credentials-kerberos disable
credentials-ntlm disable
exit

I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against iphone & ipad... in-fact I stuck Macintosh in as well and my macbook is getting less challenges too!

Enjoy the CPL goodness below!

;; Description: BlueCoat KB4741
define condition __CondList1BasicUserAgents
        request.header.User-Agent="iphone"
        request.header.User-Agent="ipad"
        request.header.User-Agent="Macintosh"
        request.header.User-Agent="CFNetwork"
end condition __CondList1BasicUserAgents

define condition BasicUserAgents
        condition=__CondList1BasicUserAgents
end condition BasicUserAgents

<Proxy>
        condition=BasicUserAgents authenticate(ukBasicAuth)  authenticate.force(no) authenticate.mode(proxy)    ; KB4741
        authenticate(uk)  authenticate.force(yes) authenticate.mode(proxy)      ; All Internet Traffic

rgds,

Nick

 
Nick Bettison ©