Setup Basic authentication for HTTP mirror server

[Guest dmveron]

Hello,

 

I'm trying to setup Basic authentication for the HTTP mirror server feature inside the Remote Administrator. Under Tools > Server Options > Advanced > Edit Advanced Settings, I have setup a user name and password. Everything looks fine when you save and close, but when it doesn't work and you go back to the config file, the password has been reset to blank. This problem was aslo brought up in a previous post ( hxxp://www.wilderssecurity.com/showthread.php?t=325556 ) but was never answered.

 

Also, how is the "Password for Clients" under Tools > Server Options > Security relate to this. I also tried setting up a password there, but the accessing the mirror server requires both a user name and password, so I don't know what the user name would be.

 

Any help would be appreciated. Thanks.

[CB530 70]

Hi dmveron,

Have you completed the steps from our Update Mirror Troubleshooting Checklist? The user name that for those client computers is most likely the computer name on your network.

 

[Guest dmveron]

Yes, I've read through that document before, but it's not relevant to my question. I've used the NTLM authentication method for accessing the mirror server through http by creating a "dummy" Windows account on the machine where ERAS is installed, and pushing that dummy account user name and password to all the client machines. That's a fine workaround for my situation, so I'll live with it.

 

My question/issue though is that you can theoretically use the Basic authentication method for restricting http access to the mirror server, but ESET doesn't provide instructions on how to do that. All the user manuals and online KB articles just say to not use any authentication. When I attempted to manually setup Basic authentication through the server configuration editor, the user name "sticks" but the program deletes the password every time once you save and close the configuration editor. I linked to a previous post on another forum from a use with the same problem. No one responded to that user, and I'm trying to resolve the same issue. What's the point of offering an authentication method without explaining how to use it?

[Marcos 5,074]

Passwords are not stored within the configuration xml for security reasons; this is a deliberate behavior.

[Guest dmveron]

[sigh], I don't know if it's a language/translation issue, but that answer still doesn't relate to the original question. Once again:

 

There is no manual/tutorial/KB article on implementing "Basic" authentication for a HTTP mirror server. Please write one, or get rid of the feature.

 

(For the record, there is also no manual/tutorial/KB article on implementing "NTLM" authentication for a HTTP mirror server, but I figured that one out on my own with a little trial and error.)

[PatrickL 21]

DMVeron,

 

I appologize that the answers given have not been thorough or detailed (ending in or useful). Is there a phone # I can reach you at directly to resolve this with you and explain in better detail that you could direct send to me via a Tell? The short answer is that I am now working with our Knowledgebase team to write this article, but have an understanding that I can give to you directly.

The authentication occurs in two places for two different action. One action is to authenticate for updating to the Remote Administrator for the purpose of checkin in (1). The second is for authenticating to the Mirror server inside the Remote Adminsitrator to get the updates (2).

 

(1) server side is input into Tools>Server Options>Password for clients. The user side is put into the policy under version>Kernel>>Settings>Remote Administrator>Primary Server Passsword.

 

(2) server side input into Tools>Server Options>Advanced and then the advanced settings button on that tab. Once in the policy editor, drill down to Remopte Administrator>ERA Server>Settings>Mirror>Username and Password fields.The user side is put into the policy under version>Update>Profile>Settings>Username and Password fields.

 

Once those credentials match and the client machine logs in and gets the update, then the authenctication can take place. I recommend setting the password in the policy FIRST so that the clients get that data and THEN change the ERA so that it wills tart asking for that password. Otherwise, if you change the authenticaiton onm the server first the clients wont be able to log in and get the policy changes.

 

Please feel free to reach out to me through direct messaging or calling the support lines if this is not explicit enough.

Patrick

[sfx 0]

Hello,
I have the same problem with the basic authentication and I might have found the cause: NTLM is used even if basic authentication is configured. If you just have a look at the security log, you may recognize entries with the HTTP user. The ESET HTTP server simply does not care about it's own configured credentials and always tries to authenticate against a local Windows user.

[Peter Randziak 1,130]

Hello Sfx,

 

that is how NTLM authentication works, it always check the credentials provided against local user account.

So in this type of authentication you cannot just type your own username and password, but you have to create user account with on the system, which hosts the mirror.

[sfx 0]

I know, but I am talking about basic authentication which behaves like NTLM. It makes no difference whether I choose basic or NTLM authentication.

[Peter Randziak 1,130]

Hello SFX,

 

yes there is a difference, basic uses base64 encoding for authentication, NTLM uses NTLM for authentication.

 

What version of ERA and Endpoints do you use?

Could you please describe a bit you infrastructure, where do you have mirror and what clients would you like to update from it?

[sfx 0]

Server: Windows 2012 Standard + ERA 5.0.511.0 with activated mirror

Test client: Windows 7 x86 + Endpoint Security 5.0.2214.5

 

All machines are on the same LAN and domain.

Edited October 31, 2013 by sfx

[Marcos 5,074]

Do you use a user name and password of a user that has at least read permissions for the mirror folder on the Windows 2012 Server?

[sgerbier 0]

Hi everybody,

 

I am also trying to setup basic authentication for local HTTP mirror server but it is not working.

I followed PatrickL post and in the ERA Console on the server, I enabled Basic authentication in "Tools>Server Options>Updates" and put a username and password in the "Remote Administrator>ERA Server>Settings>Mirror>Username and Password fields" of the policy editor.

I then went to the client machine and put the same Username and Password in the Update>Profile>Settings>Username and Password fields.

I then tried to manually update and I get a license detail windows asking me for a username and password. If I type again the same Username and Password, I get a incorrect username and/or password message.

As soon as I disable authentication in the ERA console, updates work !

Thanks for your help.

 

 

Sylvain

 

 

printscreen.pdf

[Marcos 5,074]

You need to enter Windows credentials that have read permissions for the mirror folder.

[CB530 70]

I'd like to point out that we do cover the creation of a username and password for clients to access the mirror in this article for those using ERA 5.x. We also have instructions for those using ERA 6.x to configure a password protected mirror here.