Cisco Cisco Web Security Appliance S670 User Guide
20-51
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 20 Authentication
NTLM Authentication
NTLM Authentication
The NT Lan Manager (NTLM) authenticates users with an encrypted
challenge-response sequence that occurs between the appliance and a Microsoft
Windows domain controller. The NTLM challenge-response handshake occurs
when a web browser attempts to connect to the appliance and before data is
delivered.
challenge-response sequence that occurs between the appliance and a Microsoft
Windows domain controller. The NTLM challenge-response handshake occurs
when a web browser attempts to connect to the appliance and before data is
delivered.
When you configure an NTLM authentication realm, you do not specify the
authentication scheme. Instead, you choose the scheme at the Access Policy group
level when you configure the policy member definition. This allows you to choose
different schemes for different policy groups. When you create or edit the policy
group, you can choose one of the following schemes:
authentication scheme. Instead, you choose the scheme at the Access Policy group
level when you configure the policy member definition. This allows you to choose
different schemes for different policy groups. When you create or edit the policy
group, you can choose one of the following schemes:
•
Use NTLMSSP
•
Use Basic or NTLMSSP
•
Use Basic
Note
AsyncOS for Web only supports 7-bit ASCII characters for passwords when using
the Basic authentication scheme. Basic authentication fails when the password
contains characters that are not 7-bit ASCII.
the Basic authentication scheme. Basic authentication fails when the password
contains characters that are not 7-bit ASCII.
Working with Multiple Active Directory Domains
AsyncOS allows you to create only one NTLM authentication realm. If your
organization has multiple Active Directory domains, you can authenticate users
in all domains if the following conditions exist:
organization has multiple Active Directory domains, you can authenticate users
in all domains if the following conditions exist:
•
All Active Directory domains must exist in a single forest.
•
There must be a trust relationship among all domains in the forest.
When you define policy group membership by group name, the web interface only
displays Active Directory groups in the domain where AsyncOS created a
computer account when joining the domain. To create a policy group for users in
a different domain in the forest, manually enter the domain and group name in the
web interface.
displays Active Directory groups in the domain where AsyncOS created a
computer account when joining the domain. To create a policy group for users in
a different domain in the forest, manually enter the domain and group name in the
web interface.