Event ID 1306 is the result of an invalid token sent to the authentication system. Basically, it means the credentials sent by the workstation to the proxy could not be validated against the domain(s).
Most likely reasons for this event to be generated include :
- A user didn't provide a valid domain username/password when prompted to do so.
- A user didn't use domain credentials when logging on the workstation. This makes the browser provide local credentials to the proxy instead of domain credentials, which results in authentication failing
- A user agent (software running on the workstation) was not able to provide credentials when accessing the internet. Examples of such software would include iTunes, WinAmp, Java (in some cases), custom applications,
Troubleshooting tips :
- Examine the access logs for access denied messages and pay special attention to the user-agent field. Here are a couple of examples (first examples shows Java making a request, second example shows a browser (Google Chrome) making a request)
- 2010-04-06 20:33:35 2 x.x.x.x - - - PROXIED "unlicensed;unavailable" - 200 - CONNECT - tcp 10.1.1.1 8082 / - - "Mozilla/4.0 (Windows Vista 6.0) Java/1.6.0_14" 10.78.1.50 39 180 -
- 2010-04-06 20:33:23 187 x.x.x.x - - - OBSERVED "unlicensed;unavailable" http://www.google.com/ 204 TCP_NC_MISS GET text/html http www.google.com 80 "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/126.96.36.1995 Safari/532.5" 10.78.1.50 290 1094 -
In the example above, if the Java request was answered by a 401 (Authenticate) or a 407 (Proxy Authenticate), the application might not have been able to provide credentials, in which case, the connection would be denied and the 1306 message would be generated in the BCAAA server's event log.
- Looking at a packet capture might reveal a workstation or a user-agent having issues with authentication.
- Open a packet capture taken from the Proxy while the error messages were generated
- Use this wireshark filter "http.request or http.response" and look for requests that were not authenticated properly. It's normal for some connections to include three (3) responses that are either 401's or 407's, this is normal. Abnormal behavior would be for an application to go into a loop where it makes the same request over and over again and the result is always the proxy asking for credentials. This would mean the user-agent making that request simply can't provide credentials and attempts the connection again and again.