2

We have a managed proxy based on Squid, using NTLM "fakeauth" authentication. The system has been running well for over a year.

My issue lies in the client I believe. Yesterday, a specific user on a specific laptop can not browse anymore because the username IE is supplying is wrong.

The user's username is bsmith, but the proxy is receiving the username as billsmith which is the users name. I have confirmed that he is definitely logged into Windows as bsmith, which matches his AD username. Nowhere in AD does the string billsmith appear so I'm at a loss for where Windows/IE is getting this string from to use as the username. We are (slowly) migrating from the bsmith structure to bill.smith structure for usernames; we have never used billsmith format without the separating period.

The user can login to another machine and it works fine. All other users are unaffected.

The strangest thing is that according to the proxy logs, it changed right in the middle of a browsing session yesterday afternoon. I was in offsite meetings all day yesterday and since I'm the whole IT department, nothing was changed in AD etc. WSUS updates were done last week so no "random" updates should have been installed yesterday.

I'm about to try Firefox to see what it does; if it's IE or Windows causing the issue, but I thought I'd post here first as well to solicit some input from others.

EDIT: Firefox DOES work; the correct username is passed (confirmed in the Squid logs) and browsing is successful. The client is a Windows XP machine with IE8. I have cleared all Browsing History (including passwords) but same issue persists.

fukawi2
  • 5,396
  • 3
  • 32
  • 51

2 Answers2

2

Well, the fact that Firefox works it a red herring here... The problem was in Windows. Windows had the username incorrectly saved. How? User insists that he didn't change anything, but we all know what that means....

Solution: Control Panel -> User Accounts -> Advanced tab -> Manage Passwords then remove the appropriate entry from the list. Voilà!

Thanks to @NathanC for pointing me that way.

fukawi2
  • 5,396
  • 3
  • 32
  • 51
0

I don't have enough (read: any) rep to comment on fukawi2's accepted answer, but I wanted to shed some possible light on the "How? User insists that he didn't change anything" part.

We ran into almost the exact same issue described here. A user had their profile rebuilt, and the technician's credential was showing up in our web server logs for a single specific server. All other servers took the logged-in user credential. From talking to him, it sounds like he mapped a drive to restore their profile.

Following fukawi's solution above resolved it, so it is possible that under certain circumstances mapping a drive may lead to the credential being cached for browser use?

MichaelM
  • 101
  • 1