topic Re: Captive Portal with NTLM authentication redirect loop in General Topics

Captive Portal with NTLM authentication redirect loop

BLazarov — Thu, 22 May 2014 14:19:54 GMT

Hello,

I have successfully configured a captive portal with NTLM authentication for User-ID and users are successfully authenticating using NTLM, but right after that they are stuck in a redirect loop on the following page:

User Authentication in Process

The original web page you requested will load when the authentication process completes.
Click here if the page does not load automatically.

Authentication Method: NTLM

I've seen the knowledgebase article for the similar problem, but i have enabled User-ID on both inside and outside interfaces (tried only on Inside as well) and still does not help.

Any ideas?

I can see that users are mapped to IP once they open the first page, but anyways they are stuck in the loop:

admin@PA-2050-1(active)> show user ip-user-mapping ip 10.XX.YY.169

IP address: 10.183.224.169 (vsys1)

User: xy1\snikolov

From: NTLM

Idle Timeout: 900s

Max. TTL: 3590s

Groups that the user belongs to (used in policy)

Group(s): cn=bg-sg tytyusers,ou=groups,ou=bg,dc=go1,dc=rtrt,dc=tyty,dc=com

Re: Captive Portal with NTLM authentication redirect loop

HULK — Thu, 22 May 2014 15:40:24 GMT

Hello Blazarov,

Captive Portal Behavior

Captive portal will only be triggered by a session that matches the following criteria:

1) There is no user data for the source IP of the session

2) The session is HTTP traffic

3) The session matches a Captive Portal policy on the firewall

Captive Portal Redirect Steps

1) Web traffic from unknown IP that matches Web Form CP Policy

2) Traffic Redirected to L3 Interface

3) Firewall request credentials

- the same time firewall allocates cookie value (note that during first time allocation of cookie "Get Cookie and didn't find cookie" log message will appear on appweb3-l3svc.log

if "debug l3svc on debug" in turned on)

- Browser will save this cookie

for example Firefox under Preferences > Privacy > Firefox will: Use custom settings for history > Show cookies > Site (Cookie Name: PHPSESSID)

the PHPSESSID is the same value the PA Firewall use to check for session cookie if Captive Portal Session Cookie is enabled.

- Once the user-ip-mapping on the PA firewall times out of cleared manually Steps 1 - 2 will be repeated. Because of cookie Step 3 - 4 wont be necessary.

- In an event that the cookie is not present on the browser for some reason like corrupt cookie file the client won't be presented the Captive Portal Login Page because the firewall is still attempting to use the previous cookies. Manually removing the cookies on the browser might help.

4) Firewall authenticates user

5) User mapped and redirected to original address

Link below might be helpful

http://support.mozilla.org/en-US/kb/fix-login-issues-on-websites-require-passwords

Please try "Remove corrupt cookies file" on your test workstation to check if this will help.

Thanks

Re: Captive Portal with NTLM authentication redirect loop

BLazarov — Fri, 23 May 2014 10:09:56 GMT

UPDATE:

today we've tried it with Mozilla and it works just fine.

So it must be something in the IE security settings. Tried clearing all cookies and browse history in IE - does not help. Tried with IE10 and IE11 - same issue.

Can someone guide me which security settings might cause such issue - successful NTLM auth, therefore successful IP-to-user mapping in PA, but still redirect loop after that.