Need help with Access Control List

[twhisnant]

Hey everyone. I need your help with a Proxy 2.0 problem.
Everyone in the company uses the same username/password to access the company intranet (weak I know, but i inherited the problem).
I was trying to change the permissions to allow users to use their domain accounts to access the intranet site (NT domain). Now not even the original username/password will log onto the site. It gives this error:

401.3 Unauthorized: Unauthorized due to ACL on resource

This error indicates that the credentials passed by the client do not have access to the particular resource on the server. This resource could be either the page or file listed in the address line of the client, or it could be another file on the server that is needed to process the file listed on the address line of the client.

Any ideas?? I've got 80 people all bitching at me now. Thanks in advance for any help...

 

[zaichik]

Hi,

What did you change when you were "trying to change the permissions"? Have you enabled access control? A little more detail would help...especially the settings for access control in WWW.

Regards,

z.

 

[twhisnant]

You will have to excuse me if I leave out details; I am new to Proxy 2.0.
Under "Web Proxy Properties", under permissions, the "enable access control" is checked with the FTP protocol selected (I have not changed this from the original config.)The permission is granted to domain users.

Under "WinSock Properties", the "enable access control" box is checked with the protocol of "unlimited access", granted to domain/users.

Under Default Website Properties under "directory security", anonymous access & authentication, anonymous access is allowed and basic authentication. When I enable authentication by ACL using NT Challenge/Response, the login box shows the domain below username and password but no one can get in.

As of now, if the users want to access the company intranet they type the userid/password of a local account to the proxy server. Then when they want to travel outside of the intranet they must type in a userid/password that belongs to the NT domain (in the form of domain\userid).

They is quite confusing and I am in desperate need of documentation but the Proxy Server Documentation files (ones that should be installed) are not there. I don't have a problem with having to type the userid/password in two seperate times, but this is an annoyance to the members of our network who don't see the security measures behind it.

Thanks again for any help and thank you for such a quick response zaichick.

 

[twhisnant]

Zaichick,
Where are the settings for

http://WWW in

Access Control? How do you find that information?
t

 

[zaichik]

Hi,

Generally...Web Proxy takes care of access to web sites, and WinSock takes care of everything else (SSL, IM, mail, etc.). If you want all your users to have unlimited Internet/FTP access, then you can disable access control in Web Proxy and that should eliminate the need for them to enter credentials to browse the internet. That should also hold true for the intranet, unless the server hosting the intranet requires it. Is the intranet being hosted on a separate box? If so, check out the authentication methods on that machine.

Regards,

z.

 

[twhisnant]

That did it. I unchecked "enable access control" for Web Proxy and left the settings in place for the intranet. Now the users are not required to enter a valid account in the domain to access the internet. I guess if i want to add some security then i can require this but not at this moment.

The intranet is hosted on that same box. We have always required users to use that login to view the companys internal site. From now on I will require them to use their domain account.

When I enable Access Control Lists via the NT Challenge/Response for the intranet, I cannot log on using a valid domain account. The other method sends login information in plain text format to login (not something that I want). Any ideas?

Do you know where i can get any good documentation on Proxy 2.0? I cannot seem to find this company's CD and it says the file(s) is missing on the server.

Again, THANK YOU for your help, zaichick .
t

 

[zaichik]

Hey T,

If you are using only NT Challenge/Response, then make sure that the proper NTFS permissions are set on the intranet's directories (just like you would normally, not from Internet Services Manager). It sounds like you would want to give the Authenticated Users group the permissions Read & Execute, List Folder Contents, and Read.

If you set directory security from within Internet Services Manager to use Integrated Windows Authentication, then the users will not have to retype their user/pass; it will use their current logon credentials to authenticate.

I could zip up my copies of them and send them to you--leave me an address. I don't imagine that they are very large, but they are not on a machine near me so I couldn't do that for a couple hours yet.

Regards,

z.

P.S. The earlier thing about

http://WWW services:

Ignore that, I was thinking back to IIS 3.0. That is where access control for web browsing was set, rather than in Web Proxy.