Wrong ProxySG policy enforced for Local User in a Windows SSO environment
Article ID: 165366
Updated On:
Products
Issue/Introduction
In some cases a user who logs in locally to a workstation and who is not supposed to have access to any websites through the ProxySG may sometimes have access to the websites even though the ProxySG policy says otherwise.
Cause
Resolution
This is issue is caused by the settings in the sso.ini file below:
****************************************************************************
[DCQSetup]
; The number of seconds that a logon, found by querying the domain
; controller, should be considered valid. By default logons are
; valid until another user logons at the same IP address.
; Make logons valid for one day
; ValidTTL=86400
****************************************************************************
This setting is actually saying that a valid logon by default will be valid for one day or 24 hours.
Assuming User A is the user who logged in to a domain and who has rights to access the websites.
User B is the user who logged in locally (not to a domain) to the workstation and who is not supposed to have rights to access the websites.
In the scenario below:
1. User A logs in to a domain and browses a website as usual. Then he logs off.
2. User A DHCP IP expires.
3. User B logs in locally (not to a domain) to a workstation and the workstation gets a DHCP IP that was previously owned by User A workstation.
4. The above happened within one day or 24 hours.
This has allowed User B to browse the website even though he is not supposed to.
When User B tries to browse the Internet through the ProxySG, the ProxySG sends the client IP to the BCAAA agent server. BCAAA then responds that the IP is in the 'Ip-to-User' table (since this IP is still valid) and informs the ProxySG that the IP mapped to User A. Because User A has access to the website based on the ProxySG policy. Neither the ProxySG or BCAAA are aware of User B's username because he logged in locally.
Feedback
