Captive Portal with NTLM authentication redirect loop

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal with NTLM authentication redirect loop

L1 Bithead

Hello,

I have successfully configured a captive portal with NTLM authentication for User-ID and users are successfully authenticating using NTLM, but right after that they are stuck in a redirect loop on the following page:

User Authentication in Process

The original web page you requested will load when the authentication process completes.
Click here if the page does not load automatically.

Authentication Method: NTLM


I've seen the knowledgebase article for the similar problem, but i have enabled User-ID on both inside and outside interfaces (tried only on Inside as well) and still does not help.


Any ideas?


I can see that users are mapped to IP once they open the first page, but anyways they are stuck in the loop:

admin@PA-2050-1(active)> show user ip-user-mapping ip 10.XX.YY.169

IP address:  10.183.224.169 (vsys1)

User:        xy1\snikolov

From:        NTLM

Idle Timeout: 900s

Max. TTL:    3590s

Groups that the user belongs to (used in policy)

Group(s):    cn=bg-sg tytyusers,ou=groups,ou=bg,dc=go1,dc=rtrt,dc=tyty,dc=com

2 REPLIES 2

L7 Applicator

Hello Blazarov,

Captive Portal Behavior

Captive portal will only be triggered by a session that matches the following criteria:

1) There is no user data for the source IP of the session

2) The session is HTTP traffic

3) The session matches a Captive Portal policy on the firewall

Captive Portal Redirect Steps

1) Web traffic from unknown IP that matches Web Form CP Policy

2) Traffic Redirected to L3 Interface

3) Firewall request credentials

- the same time firewall allocates cookie value (note that during first time allocation of cookie "Get Cookie and didn't find cookie" log message will appear on appweb3-l3svc.log

if "debug l3svc on debug" in turned on)

- Browser will save this cookie

for example Firefox under Preferences > Privacy > Firefox will: Use custom settings for history > Show cookies > Site (Cookie Name: PHPSESSID)

the PHPSESSID is the same value the PA Firewall use to check for session cookie if Captive Portal Session Cookie is enabled.

- Once the user-ip-mapping on the PA firewall times out of cleared manually Steps 1 - 2 will be repeated. Because of cookie Step 3 - 4 wont be necessary.

- In an event that the cookie is not present on the browser for some reason like corrupt cookie file the client won't be presented the Captive Portal Login Page because the firewall is still attempting to use the previous cookies. Manually removing the cookies on the browser might help.

4) Firewall authenticates user

5) User mapped and redirected to original address

Link below might be helpful

http://support.mozilla.org/en-US/kb/fix-login-issues-on-websites-require-passwords

Please try "Remove corrupt cookies file" on your test workstation to check if this will help.

Thanks

UPDATE:

today we've tried it with Mozilla and it works just fine.

So it must be something in the IE security settings. Tried clearing all cookies and browse history in IE - does not help. Tried with IE10 and IE11 - same issue.

Can someone guide me which security settings might cause such issue - successful NTLM auth, therefore successful IP-to-user mapping in PA, but still redirect loop after that.

  • 2106 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!