Users see an authentication prompt when accessing the Internet with RM SafetyNet User Based Filtering (UBF)
Published Date : 16 Oct 2023
Last Updated : 17 Oct 2023
Content Ref: TEC9401141
Operating System
(none)
Part No
(none)
Summary
Explains why one or more users are presented with a Microsoft authentication prompt when accessing the Internet with UBF.
Symptoms
Your school is configured to use RM SafetyNet User Based Filtering (UBF). One or more users are prompted with a Microsoft authentication box, similar to the image below when opening a browser to access the Internet. After entering their current Windows username and password, they may or may not get access to the Internet.
Cause
RM SafetyNet performs proxy authentication with the web browser and uses the currently Windows logged-on user's details for that browsing session to authenticate the user and provide them with User Based Filtering. For Active Directory-joined machines, this should be seamless, with no authentication prompts to the user.
So if an end user sees an authentication prompt at any point, it means RM SafetyNet has been unable to successfully authenticate the user currently logged on to Windows. There could be one or more reasons for this. Please ask your network and RM Unify administrator to assist you with the checks below.
Checks
If your RM Unify establishment uses RM Unify AD Sync, confirm that a Windows server on your network has RM Unify AD Sync v3 or later installed and that the RM Unify AD Sync service is running.
Alternatively, if your RM Unify establishment uses RM Unify Network Provisioning, confirm that a domain controller is running the RM Unify Network Agent service.
Confirm if all domain controllers have RM Unify Password Filter v3.0.54.0 or later installed.
Confirm that the RMNetIdentityQueue$ folder on each domain controller contains the same RMUnifyADSyncCert.cer file. If missing, this can be copied over from the server running the RM Unify AD Sync service (C:\Program Files (x86)\RM\RM Unify AD Sync) or from the server running the RM Unify Network Agent service (C:\ProgramData\RM\RM Unify Network Agent\Database).
Sign into the RM SafetyNet Admin Console and confirm that the affected user is listed. Please see the More information section below for more details on how to access the RM SafetyNet Admin Console.
In the RM Unify Management Console App library, confirm that the RM SafetyNet app tile is installed to all the roles - this is required for RM SafetyNet accounts to be provisioned and synced, along with their passwords. The tile does not need to appear on any Launch Pad for RM SafetyNet to work, but it may already be set to appear for Non Teaching staff - the rmunifyadmin@<scope> account is a Non Teaching staff user, so the tile will be visible for them to access the RM SafetyNet Admin Console.
From that same RM SafetyNet app tile, resync users to RM SafetyNet. Please see the More information section below for detailed steps.
Confirm that the affected user is logged on to a PC that is AD-joined to the school domain. If the user is logged on to a non-domain joined computer, it is expected behaviour to see an authentication box. On entering valid domain user credentials, however, the user should get Internet access from the non-domain joined computer.
Confirm that the affected user's browser is set to use your establishment's provided user-based proxy address on port 8080, e.g. userproxy.rmsafetynet.com:8080. If you are not sure which proxy address this is for your establishment, copy it from a working user's browser or ask your RM Support team.
In case of browser issues, for each available browser, clear the browser cache and attempt Internet access from each browser.
Confirm that the PC displays an accurate date and time within two minutes, as a skewed time will adversely affect authentication success.
Check if the affected user can sign into RM Unify with their current network password. This would need to be tested on a non-UBF Internet connection, e.g. by using your establishment's provided default RM SafetyNet proxy server on port 8080 (e.g. proxy.rmsafetynet.com:8080). If you are not sure which proxy address to use for your establishment, ask your RM Support team.
If the user cannot sign into RM Unify with their current network password, ask the user to reset their network password and log off and back onto the PC using the new password.
Occasionally, a network password change may take five to ten minutes to be received by RM SafetyNet. Allow this time to pass and then ask the user to check if they can now access the Internet and/or sign into RM Unify with the new password.
If this fails, open the RM Unify Management Console (RMMC) and check if the user's Password Last Set date/time matches the recent password change.
If the issue is still unresolved, please contact your RM Support team for further help.
More Information
How to access the RM SafetyNet Admin Console
If you are an RM SafetyNet administrator user, there are several ways you can sign in to access the RM SafetyNet Admin Console:
Browse to https://safetynet.rm.com and enter your RM SafetyNet administrator username and password.
Browse to https://safetynet.rm.com, click 'Sign in with RM Unify' and sign in with your RM Unify credentials.
Browse to https://rmunify.com, sign into RM Unify and where the RM SafetyNet tile is installed to your Launch Pad, click to access the admin console.
How to resync users to RM SafetyNet
Click the RM SafetyNet app tile from the RM Unify App Library.
Under Support Info, click 'Click here' next to 'Are users missing from RM SafetyNet?'.
Click Resync Users.
Close the app tile window.
What happens if multiple users access the same PC?
Where multiple users are logging on/off the same machine, the currently logged on user will always be used and not any previous users.
What happens when Terminal Services or Remote Desktop are in use?
In the case of Terminal Services or Remote Desktop, these also use the user who is logged on to the specific browser session. Therefore, if multiple users are logged in to the same server, each user's web browser is authenticated separately and the user will get the correct filtering policy.
If this article has not helped provide a solution then it is also possible to
log a call...