Svn.

spamsvn110

QuickStart Guide to Authentication

WebTitan Version 5

Copyright 2014 Copperfasten Technologies.

All rights reserved. The product described in this document is furnished under a license
agreement and may be used only in accordance with the terms of the agreement.
Copperfasten Technologies gives no condition, warranty, expressed or implied about the
fitness or quality of this manual or the accompanying product. Copperfasten reserves the
right to make changes to this manual or the accompanying product, without notice to any
person or company. Copperfasten shall not be liable for any indirect, incidental, special, or
consequential damages, loss of profits, loss of goodwill, loss of reputation or economic loss
resulting from the use of this manual or the accompanying product whether caused through
Copperfasten negligence or otherwise and based on contract, tort, strict liability or
otherwise, even if Copperfasten or any of its suppliers has been advised of the possibility of
damages.
WebTitan is a trademark of Copperfasten Technologies Limited.

Support
WebTitan technical support specialists can provide assistance when planning and
implementing your WebTitan deployment, and deciding on the correct authentication
options to ensure a smooth deployment. Through online documentation, telephone
help, and direct email support, WebTitan ensures that your questions will be answered
in the fastest time possible. Access support information at
http://helpdesk.webtitan.com/support/home

Revision History
Version
1.0

Date
December 2014

Changes
Initial Revision

Contents
Introduction ................................................................................................................ 4
IP based authentication............................................................................................... 5
LDAP based authentication........................................................................................ 6
NTLM based authentication ....................................................................................... 8
WebTitan Active Directory Agent (WADA) ........................................................... 10
WADA Installation ............................................................................................... 11
Next Steps ............................................................................................................. 12

Introduction
WebTitan provides the option to define how users authenticate themselves to
WebTitan before accessing external web sites.
By default, authentication is disabled, which means that any user is accepted by the
WebTitan appliance without authentication. Should authentication be required, it can
be enabled via System Settings-> Authentication tab which can be seen below. The
method of authentication can be selected from the 'Policy type' drop down list.
WebTitan provides various methods of user authentication which are as follows.

IP based authentication

LDAP based authentication

NTLM based authentication

IP and LDAP based authentication

IP and NTLM based authentication

NTLM authentication in Transparent Mode via WADA (WebTitan Active

Directory Agent)

Figure 1: Authentication settings

IP based authentication and NTLM based authentication are transparent to the user,
whereas LDAP based authentication will require the user to enter their LDAP
username/password credentials on commencing web site browsing. They will only be
asked once for this information.

IP based authentication
IP based authentication is only suitable where the users have static IP addresses. Also,
it is recommended that either LDAP or NTLM authentication is used where LDAP
servers are been used to maintain the users and groups within WebTitan. To facilitate
IP based authentication within WebTitan, the following must be done:

IP based authentication must be enabled via the System Settings > Authentication
tab.

Users must be assigned IP addresses via the Users & Groups > Users tab. An IP
address can be assigned at the time of user creation or by editing an existing user.
Figure 2 below shows that users can be assigned both a single IP address and an IP
address range.

Figure 2: Add users dialog

IP authentication points

IP based authentication will be transparent to the end user.

IP based authentication should only be used for static IP addresses.

LDAP based authentication

LDAP authentication is suitable for where the users and groups are being managed by
an LDAP server and where it is preferred that the user must enter their LDAP
username/password credentials on commecing web site browsing.
To facilitate LDAP based authentication within WebTitan, the following must be
done:

LDAP based authentication must be enabled via the System Settings >
Authentication tab.

There must be at least one LDAP server specified in the Users & Groups > Users
tab.

The users associated with the authenticating LDAP server must be imported into
WebTitan.

Figure 3 is a screen shot of LDAP based authentication turned on within WebTitan,

which is then followed by figure 4 showing a screen shot of a user being prompted for
their LDAP credentials. They are only required to enter these credentials once.

Figure 3: LDAP authentication settings

Please click here to see the 'QuickStart Guide to LDAP Setup' for details on how to connect to an
LDAP server within WebTitan and also how to import LDAP users.

Figure 4: LDAP Authentication popup from Internet Explorer

If the web user enters an incorrect username or password, then they will receive the
following web page:

Figure 5: Failed authentication page

LDAP authentication points

LDAP based authentication requires the end user to enter their LDAP
credentials

NTLM based authentication

If your network uses NTLM authentication, then the NTLM users can be
transparently authenticated against the WebTitan web filter using their Microsoft
Windows credentials.
To facilitate NTLM based authentication within WebTitan, the following must be
done.

NTLM based authentication must be enabled via the System Settings >
Authentication tab.

Users must browse using Internet Explorer or Mozilla Firefox.

Figure 6 below shows sample settings for an NTLM server. Verification of the settings
occurs automatically once the 'Save' button is clicked.

Figure 6: NTLM authentication settings

If your NTLM server does not authenticate successfully, the following error codes
returned by WebTitan could be of use.
Error Code

Explanation

-1

NTLM authentication isn't enabled.

-2

The username or password was not correct.

-3

Can't connect to domain controllers.

-4

/usr/local/bin/net join command failed with

another reason.

-5

winbindd is not working(wbinfo -p).

-6

winbindd is not working correctly (wbinfo -t).

NTLM authentication points

NTLM based authentication will be transparent to the end user.

NTLM based authentication only works with Internet Explorer and

Mozilla Firefox.

Users who do not match any NTLM user account will automatically be
controlled by the 'Default' policy and will appear in reports as the
'GDefault' user.

WebTitan Active Directory Agent (WADA)

The WebTitan Active Directory Agent (WADA) is a Windows service maintaining a
list of active logon sessions, mapping an IP address to a username. This information is
then passed to WebTitan to allow user filtering rules to be applied based on the logged
in users policy settings.
The information is gathered from 3 different sources that exist on Windows network:

LDAP

Event Logger

network sessions

The LDAP mechanism collects a list of computers in the domain and based on the
lastLogon parameter will contact each computer using the WMI protocol to check for
active logon sessions and eventually get the username. Not all computers are checked,
only those with lastLogon field within the range defined in the configuration (1 year
by default).
The Event Logger mechanism listens to the event logger for special events that
contains information about username and IP.
Additionally, network sessions are enumerated (by default each 10 seconds) to
discover active sessions. This method is important especially when there are users on
the network that don't turn-off their computers for a very long time and for some
reason their computers are not reachable with WMI.
The results from all those methods are then merged into one list and transmitted to
WebTitan.

10

WADA Installation
Install on the Active Directory Server or on another server in the domain. The
installation is a straight forward process using the MSI WADA kit as below.

Figure 7: WADA installation

Figure 8: WADA installation accept the license

Figure 9: WADA installation - WebTitan server settings

11

Enter the IP address of your WebTitan. NOTE: Specify the proxy port that WebTitan is
listening on for HTTP requests. Default: 8881.

Figure 10: WADA installation - AD credentials

Finally enter your domain administration credentials for your Active Directory , e.g.
copperf\admin / password.

Next Steps
To implement transparent identification of users in transparent mode (Figure 11), you
must configure the WebTitan appliance to operate in transparent mode, and have
imported your users from Active Directory on the Users & Groups -> Users page
(Figure 12).

12

Figure 11: Import users from Active Directory

Figure 12: Transparent mode proxy

On the System Setup -> Authentication page, it is sufficient to choose IP based

authentication.
13