Cisco Cisco Web Security Appliance S690 User Guide
5-5
AsyncOS 8.5 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
–
Use the kerbtray tool from the Windows Resource Kit to verify the Kerberos ticket on the client:
http://www.microsoft.com/en-us/download/details.aspx?id=17657 .
http://www.microsoft.com/en-us/download/details.aspx?id=17657 .
–
Ticket viewer application on Mac clients is available under main menu > KeyChain Access to
view the Kerberos tickets.
view the Kerberos tickets.
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
•
If the Web Security appliance is managed by a Security Management appliance, be prepared to
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
•
Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.
Step 1
In the Cisco Web Security Appliance web interface, choose Network > Authentication.
Step 2
Click Add Realm.
Step 3
Assign a unique name to the authentication realm using only alphanumeric and space characters.
Step 4
Select Active Directory in the Authentication Protocol field.
Step 5
Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).
Example:
ntlm.example.com
.
An IP address is required only if the DNS servers configured on the appliance cannot resolve the Active
Directory server hostname.
Directory server hostname.
When multiple authentication servers are configured in the realm, the appliance attempts to authorize
with up to three authentication servers before failing to authorize the transaction within this realm.
with up to three authentication servers before failing to authorize the transaction within this realm.
Step 6
Join the appliance to the domain:
a.
Configure the Active Directory Account:
b.
Click Join Domain.
Step 7
(Optional) Configure transparent user identification.
Setting
Description
Active Directory Domain
The Active Directory server domain name.
Also known as a DNS Domain or realm.
Also known as a DNS Domain or realm.
NetBIOS domain name
If the network uses NetBIOS, provide the domain name.
Tip
If this option is not available use the setntlmsecuritymode CLI
command to verify that the NTLM security mode is set to
“domain”.
command to verify that the NTLM security mode is set to
“domain”.
Computer Account
Specify a location within the Active Directory domain where AsyncOS
will create an Active Directory computer account, also known as a
“machine trust account”, to uniquely identify the computer on the domain.
will create an Active Directory computer account, also known as a
“machine trust account”, to uniquely identify the computer on the domain.
If the Active Directory environment automatically deletes computer
objects at particular intervals, specify a location for the computer account
that is in a container, protected from automatic deletion.
objects at particular intervals, specify a location for the computer account
that is in a container, protected from automatic deletion.