Applies to all sites using Websense Web security software with Logon Agent and Active Directory user accounts. Versions likely to be affected are Websense Web security software versions 6.x and 7.x, used in conjunction with Windows XP, 2003, and 2008.
If you apply Microsoft update KB 971737, Websense Logon Agent is no longer able to identify users who have Active Directory accounts. As a result, Web filtering for these users does not occur.
If Microsoft update KB 971737 is not installed (or is removed), Logon Agent works as expected, and Active Directory users are filtered properly.
Microsoft update KB 971737 enhances the way Windows authentication works and makes changes to a library used by Websense software. This library is used by LogonApp.exe to authenticate itself with Logon Agent. The update enables extended protection for Windows authentication and turns on NTLM version 2. Support for NTLM version 2 is planned for support in a future version of Websense software.
Websense is researching the scope of the Microsoft changes for affected Websense versions and is considering options for our customers.
While Websense assesses the changes, one suggested workaround is to defer the installation of Microsoft update KB 971737 until Websense analysis is completed.
Another option is to install the Microsoft patch and then edit the Windows registry to disable extended protection for Windows authentication and revert to using NTLM version 1 (this would involves two different registry changes). Websense will confirm the specific changes soon.
Websense is researching the impact on each affected version of Websense Web security software. Customers will be alerted as soon as we have additional instructions for each version.