Cisco Cisco Web Security Appliance S670 User Guide

 describes the different authentication scenarios you can configure between the Web Security 

appliance and the client and between the Web Security appliance and the authentication server. 

Web Proxy deployment also affects how authentication works in each of the scenarios described in 

. For more information, see 

.

When you configure an Identity group to use authentication, you choose the authentication scheme, 
either Basic or NTLMSSP. The authentication scheme affects the user experience and the security of 
users’ passwords.

 describes the differences between Basic and NTLMSSP authentication schemes. 

Basic LDAP 

LDAP 

server

Basic 

LDAP 

Active Directory server using LDAP

Basic

NTLM

Active Directory server using NTLM

NTLMSSP

NTLM

Active Directory server using NTLM

Basic

The client always prompts users for 
credentials. After the user enters 
credentials, browsers typically offer a 
check box to remember the provided 
credentials. Each time the user opens the 
browser, the client either prompts for 
credentials or resends the previously 
saved credentials.

Credentials are sent unsecured as clear 
text (Base64). A packet capture between 
the client and Web Security appliance can 
reveal the user name and password.

Note: You can configure the Web Security 
appliance so clients send authentication 
credentials securely. For more 
information, see 

.

NTLMSSP

The client transparently authenticates by 
using its Windows login credentials. The 
user is not prompted for credentials.

However, the client prompts the user for 
credentials under the following 
circumstances:

The Windows credentials failed.

The client does not trust the Web 
Security appliance because of 
browser security settings.

Credentials are sent securely using a 
three-way handshake (digest style 
authentication). The password is never 
sent across the connection.

For more information on the three-way 
handshake, see 

.