Why is a workstation with a local user login permitted to access the Internet?
Last Updated May 23, 2017
A user logs in to a domain workstation with a local user account.
BCAAA runs in a domain server using the same local user account as the above workstation (i.e. same user name and password, such as the default administrator account).
When accessing the Internet, the user is automatically authenticated even though Domain Controller (DC) doesn't have the user account.
The expected behavior is that the user would be either denied access to Internet resources or they would receive a prompt from the ProxySG Appliance to authenticate with their domain credentials.
Because BCAAA functions by attempting to log a user in to the domain to test credentials for validity, in this unique instance, the workstation using the same credentials is reported to be valid.
The solution to this issue is to ensure that all BCAAA deployments use a username and password combination that are not used by any other servers, machines or users on the network.
If the domain name isn't valid but the username is, then the DC will attempt to authenticate as a named user in the domain. Since the local credential has a matched domain credential, the authentication will pass.
This behavior is determined by the DC, so it's the same with both IWA-Direct and BCAAA agent implementation. In each case, we just send the type 3 message to the DC and the DC is responsible for locating the user.
You can see the above behavior for yourself if you create a local user on one of your workstations that has the same username as a domain user. Log in to the workstation as that user and attempt to authenticate to the SG.
Please note the presence of the workstation name in the Type 3 message doesn't affect this behavior.
Imported Document ID: 000016502
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.