Why is a workstation with a local user login permitted to access the Internet?

book

Article ID: 167583

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

 

Criteria:

  • A user logs in to a domain workstation with a local user account.
  • BCAAA runs in a domain server using the same local user account as the above workstation (i.e. same user name and password, such as the default administrator account).
  • When accessing the Internet, the user is automatically authenticated even though Domain Controller (DC) doesn't have the user account. 

The expected behavior is that the user would be either denied access to Internet resources or they would receive a prompt from the ProxySG Appliance to authenticate with their domain credentials.  

Resolution

Because BCAAA functions by attempting to log a user in to the domain to test credentials for validity, in this unique instance, the workstation using the same credentials is  reported to be valid.  

The solution to this issue is to ensure that all BCAAA deployments use a username and password combination that are not used by any other servers, machines or users on the network.  

 

Further details

If the domain name isn't valid but the username is, then the DC will attempt to authenticate as a named user in the domain. Since the local credential has a matched domain credential, the authentication will pass.

This behavior is determined by the DC, so it's the same with both IWA-Direct and BCAAA agent implementation. In each case, we just send the type 3 message to the DC and the DC is responsible for locating the user.

You can see the above behavior for yourself if you create a local user on one of your workstations that has the same username as a domain user. Log in to the workstation as that user and attempt to authenticate to the SG.

Please note the presence of the workstation name in the Type 3 message doesn't affect this behavior.