On Sat, Jan 3, 2009 at 11:14 AM, Guido Serassio
<guido.serassio_at_acmeconsulting.it> wrote:
> Hi Kinkie,
>
> At 18.45 02/01/2009, Kinkie wrote:
>>
>> Could you try to get a network trace of a successfully authenticated
>> http transaction?
>> I would love to see how they do it...
>
> Websense too is using something similar for filtering:
>
> They maintain an IP Address/Username table on the policy server. The table
> can be populated using different ways:
> - A logon agent, a little executable running on every client at logon time
> - Direct query to the user workstation
> - A DC agent that query DCs for user sessions
> There isn't any kind of web browser authentication, and this solution cannot
> work with non Windows clients or machine non domain member.
> Multiuser terminal server environments cannot be supported and the WS policy
> server should be Windows based and domain member for full functionality.
Yuck...
IIRC Squid's "session" helper can do that too then.
This is NOT authentication and it's absolutely insecure: even windows
nowadays supports remote desktops (3 users can share one IP) and SNAT
("connection sharing"), and it's pretty easy to hijack an user's
credentials (simply log on to his workstation as soon as possible
after he's logged out).
an nmblookup-based external authentication helper could be set up to
do one of these, but after all what's the point? If the user has a
proper Windows infrasctructure, it's much easier to use group policies
to configure the browsers..
Thanks for the clarification Guido!
--
/kinkie
Received on Sat Jan 03 2009 - 18:51:29 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 06 2009 - 12:00:02 MST