Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Hello,I have the Integrated Windows Authentication and every 2/3 days I have the following errors on my WCG (/var/log/messages) :May 7 15:21:43 fprx01 content_gateway[4088]: WARNING: winauth: Auth queues are full - FAILED to get NTLM helper after 10 triesMay 7 15:21:43 fprx01 content_gateway[4088]: ERROR: winauth failure: auth_error_ntlm HELPER_FAIL_NTLM (client ip:Citrix_server117)May 7 15:21:48 fprx01 content_gateway[4088]: WARNING: winauth: Auth queues are full - FAILED to get NTLM helper after 10 triesMay 7 15:21:48 fprx01 content_gateway[4088]: ERROR: winauth failure: auth_error_ntlm HELPER_FAIL_NTLM (client ip:Citrix_server116)May 7 15:21:48 fprx01 content_gateway[4088]: WARNING: winauth: Auth queues are full - FAILED to get NTLM helper after 10 tries...The consequence is that until I restart the websense service on my WCG I have no more traffic allowed.What I do not understand is that The fail open authentication option is checked on my WCG. So why traffic is not allowed even if there are some authentication problem ?
Thank you.
I believe the fail open authentication option is for if it fails to authenticate a user... this above sounds like a failure with the winauth service on the WCG which is a different thing entirely.
Either way, this is breaking your network every few days so I hope you've opened a high severity case with Websense Support?
What Version?
Based upon what you indicated above, you are using the following IWA, WCG, Citrix, and NTLM.
With IWA (Kerberos) enabled, normally you do not need a DC Agent or Logon Agent. Do you need NTLM enabled within the WCG? Are you using DC Agent and Logon Agent configured (Citrix) for legacy AD? Also are you using Multi-Realm? What about Mixed Mode vs Native Mode?
OK i misunderstood the Fail Open meaning.
I have the websense security gateway anywhere (1 Triton + cluster of WCG) with IWA and the websense Citrix integration service.
I'm not using multi-realm (only one realm with a cluster of win 2003 R23 Domain Controllers)
I'm in Native Mode.
From Triton http interface, I have no agent configured.
From WCG http interface, Legacy NTLM is disabled, only IWA is enabled for authentication, WCG is well joined to the domain and the troubleshoot authentication displays no error.
So I don't understand why in /var/log/messages every error or warning refered to NTLM and why it makes WCG unable to answer requests ?
I was going to run again the domain authentication test and I saw that the below counters display only NTLM request, absolutly no IWA request !
<a href="http://www.casimages.com/img.php?i=120515052043184914.jpg" title="upload image">Cliquez ici pour voir mon image</a>
I'm a little bit lost, how to make IWA works ? How can I only have NTLM request whereas IWA is checked ?
I also see from WCG http interface that there are only NTLM reqests, absolutly no Kerberos request authentication.
Hi Alex,
I believe it's related to the Cluster configuration you have.
I have the same issue, and i remember that IWA can not wotk with WCG cluster.
If someone could give the technical explanation, it could be great for our understanding.
Regards,
Hi Yourax,
Websense support installed me the following hotfix :
WCG_7.6.0_Hotfix_02_WCG_SPNEGO_NTLMSSP_Mechtype_linux.tar.gz
and it fixed the problem.
