2.10.4. Windows Authentication

This authentication method is a preferred solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external Server acting as a Domain Controller. This can be a:

Advanced Proxy works with Windows integrated authentication (transparent) or with standard authentication (explicit with username and password).

Windows Authentication

You can maintain lists with authorized user names (whitelist) or unauthorized user names (blacklist).

Note

Workgroup based authentication may probably work, but is neither recommended nor supported.

2.10.4.1. Global authentication settings

Global authentication settings section

Number of authentication processes The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication.

Authentication cache TTL Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session.

Note

If the user opens a new session, the credentials must always be entered, even if the TTL has not expired for another session.

Limit of IP addresses per user (optional).  Number of source IP addresses a user can be logged in at one time. The IP address will be released after the time defined at User/IP cache TTL.

Note

This takes no effect if running Local authentication and the user is a member of the “Extended” group.

User/IP cache TTL Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0 (disabled).

A value greater than 0 is only reasonable while using a limit for concurrent IP addresses per user.

Require authentication for unrestricted source addresses By default authentication is required even for unrestricted IP addresses. If you don't want to require authentication for these addresses, untick this box.

Authentication realm prompt This text will be shown in the authentication dialog. The default is “IPCop Advanced Proxy Server”.

Destinations without authentication This allows you to define a list of destinations that can be accessed without authentication.

Note

Any domains listed here are destination DNS domains and not source Windows NT domains.

Examples:

Entire domains and subdomains

*.example.net
*.google.com

Single hosts

www.example.net
www.google.com

IP addresses

81.169.145.75
74.125.39.103

URLs

www.example.net/download
www.google.com/images

Note

You can enter all of these destination types in any order.

Example for Windows Update.

To allow access to Windows Update without authentication add these destinations to the list:

*.download.microsoft.com
*.windowsupdate.com
windowsupdate.microsoft.com

2.10.4.2. Common domain settings

Common domain settings section

Domain Enter the name of the domain you want to use for authentication. If you are running a Windows 2000 or Windows 2003 Active Directory, you'll have to enter the NetBIOS domain name.

PDC hostname Enter the NetBIOS hostname of the Primary Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller.

Note

For Windows 2000 and above the Primary Domain Controller is not assigned to a specific server. The Active Directory PDC emulator is a logical role and can be assigned to any server.

Important

The PDC hostname must be resolvable for IPCop. This can be done by adding the hostname at Services > Edit Hosts (recommended) or by editing the file /etc/hosts directly.

BDC hostname (optional).  Enter the NetBIOS hostname of the Backup Domain Controller here. If you are running a Windows 2000 or Windows 2003 Active Directory, you can enter the name of any Domain Controller. If the PDC doesn't respond to authentication requests, the authentication process will ask the BDC instead.

Important

The BDC hostname must be resolvable for IPCop. This can be done by adding the hostname at Services > Edit Hosts (recommended) or by editing the file /etc/hosts directly.

2.10.4.3. Authentication mode

Authentication mode section

Enable Windows integrated authentication If enabled, the user will not be asked for a username and password. The credentials of the currently logged in user will automatically be used for authentication. This option is enabled by default.

If integrated authentication is disabled, the user will be requested explicitly for a username and password.

2.10.4.4. User based access restrictions

User based access restrictions section

Enabled Enables access control lists for authorized or unauthorized users.

Use positive access control / Authorized users The users listed here will be allowed web access. For all other users, access will be denied.

Use negative access control / Unauthorized users The listed users will be blocked from web access. For all other users, access will be allowed.

Note

If Windows integrated authentication is enabled, the username must be entered with the domain name as a prefix for the username, separated by a backslash.

Example for user based access control lists using integrated authentication:

domain\administrator
domain\bruno
domain\jane
domain\maria
domain\paul
domain\steve

Note

When using integrated authentication, the user must be logged in to the domain, otherwise the name of the local workstation, instead of the domain name, will be added to the username.

Example for user based access control lists using explicit authentication:

administrator
bruno
jane
maria
paul
steve

Note

Explicit authentication grants access to the user, even though the user is not logged in to the domain, as long as the username will be the same and the local workstation password and the domain password does match.