Failure to authenticate clients
These conditions are required to authenticate clients:
- Content Gateway clients must be a member of the same domain as that joined by Content Gateway.
- Client system time must be in sync with the domain controller and Content Gateway to plus or minus 1 minute.
- Explicit proxy clients must not be configured to send requests to the IP address of Content Gateway. Clients must use the Fully Qualified Domain Name (FQDN) of Content Gateway. If the IP address is used, NTLM authentication is always performed.
- The Content Gateway FQDN must be in DNS and resolvable by all proxy clients.
- Browsers and other client applications must specify the FQDN of Content Gateway as an intranet site or trusted site.
- When the Active Directory is configured with multiple Sites, the subnet that Content Gateway is on must be added to one of them. If it’s not, the following alarm may be generated when Content Gateway is restarted:
Windows domain [domain name] unreachable or bad membership status
Troubleshooting
In the Content Gateway manager, use the Diagnostic Test function on the tab. This Monitor page displays authentication request statistics and provides the diagnostic test function.
The Diagnostic Test function performs connectivity and authentication testing and reports errors. It also shows domain controller TCP port connectivity and latency.
Errors and messages are logged to:
- /var/log/messages
- content_gateway.out
- /opt/WCG/logs/smbadmin.log
- /opt/WCG/logs/smbadmin.join.log
Performance issues
- IWA (Kerberos): Authentication performance is bound by CPU. There is no communication to the domain controllers for Kerberos authentication.
- NTLM and Basic: Domain controller responsiveness effects performance. The page shows average response time.