Cisco Cisco Web Security Appliance S670 Troubleshooting Guide

Contributed by Josh Wolfer and Siddharth Rajpathak, Cisco TAC
Engineers.
Jul 15, 2014

Symptoms: The browser prompts for credentials when NTLM authentication is used.

Environment: Cisco Web Security Appliance (WSA), all versions of AsyncOS

Several factors might affect whether the client sends its credentials automatically (SSO − Single Sign On), or
prompts the end user to manually enter their credentials.
Verify the following items when attempting to implement NTLM with SSO:

This setting can be found on the GUI under Web Security Manager > Identities page.  Edit the appropriate
Identity and then check the Define Members by Authentication > Authentication Schemes setting.

Select one of the following options:

Use NTLMSSP

• 

Use Basic or NTLMSSP

• 

Use Basic

• 

NTLMSSP enables the functionality for the client to send the credentials securely and transparently to the web
proxy. 

NTLM Basic allows the client to send the username and password in plain text when prompted for the
credentials.

The client chooses the best available method when the Use Basic or NTLMSSP option is selected
(recommended). If the client supports NTLMSSP, it will use this method, and all other browsers will use
Basic. This allows for maximum compatibility.

If the client does not trust the WSA, it will not send it's credentials transparently. The following are guidelines