Why is a workstation with a local user login permitted to access the Internet?

Article Id: 167583

Status: Published

Updated On: 23-05-2017 12:37

Legacy Id: TECH243482

Products:

ProxySG Software - SGOS

Issue/Introduction:

Criteria:

A user logs in to a domain workstation with a local user account.
BCAAA runs in a domain server using the same local user account as the above workstation (i.e. same user name and password, such as the default administrator account).
When accessing the Internet, the user is automatically authenticated even though Domain Controller (DC) doesn't have the user account.

The expected behavior is that the user would be either denied access to Internet resources or they would receive a prompt from the ProxySG Appliance to authenticate with their domain credentials.

Resolution:

Because BCAAA functions by attempting to log a user in to the domain to test credentials for validity, in this unique instance, the workstation using the same credentials is reported to be valid.

The solution to this issue is to ensure that all BCAAA deployments use a username and password combination that are not used by any other servers, machines or users on the network.

Further details

If the domain name isn't valid but the username is, then the DC will attempt to authenticate as a named user in the domain. Since the local credential has a matched domain credential, the authentication will pass.

This behavior is determined by the DC, so it's the same with both IWA-Direct and BCAAA agent implementation. In each case, we just send the type 3 message to the DC and the DC is responsible for locating the user.

You can see the above behavior for yourself if you create a local user on one of your workstations that has the same username as a domain user. Log in to the workstation as that user and attempt to authenticate to the SG.

Please note the presence of the workstation name in the Type 3 message doesn't affect this behavior.