Cisco Cisco Web Security Appliance S160 Guía Del Usuario
8-6
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 8 Identities
Matching Client Requests to Identity Groups
The Web Proxy communicates which scheme(s) it supports to the client application at the beginning of
a transaction. The Identity group currently in use determines which scheme(s) it supports. When the Web
Proxy informs the client application that it supports both Basic and NTLMSSP, the client application
chooses which scheme to use in the transaction.
a transaction. The Identity group currently in use determines which scheme(s) it supports. When the Web
Proxy informs the client application that it supports both Basic and NTLMSSP, the client application
chooses which scheme to use in the transaction.
Some client applications, such as Internet Explorer, always choose NTLMSSP when given a choice
between NTLMSSP and Basic. This might cause a user to not pass authentication when all of the
following conditions are true:
between NTLMSSP and Basic. This might cause a user to not pass authentication when all of the
following conditions are true:
•
The Identity group uses a sequence that contains both LDAP and NTLM realms.
•
The Identity group uses the “Basic or NTLMSSP” authentication scheme.
•
A user sends a request from an application that chooses NTLMSSP over Basic.
•
The user only exists in the LDAP realm.
When this happens, the Web Proxy uses the NTLMSSP scheme to authenticate users in this Identity
group because the client requests it. However, LDAP servers do not support NTLMSSP, so no user that
exists only in the specified LDAP server(s) can pass authentication in this Identity group.
group because the client requests it. However, LDAP servers do not support NTLMSSP, so no user that
exists only in the specified LDAP server(s) can pass authentication in this Identity group.
Therefore, when you need to use an authentication sequence that contains both LDAP and NTLM
realms, consider the client applications that might try to access a URL when you configure the
authentication scheme for an Identity group. For example, you might want to choose Basic as the only
authentication scheme for an Identity group in some cases.
realms, consider the client applications that might try to access a URL when you configure the
authentication scheme for an Identity group. For example, you might want to choose Basic as the only
authentication scheme for an Identity group in some cases.
Matching Client Requests to Identity Groups
shows how the Web Proxy evaluates a client request against the Identity groups
when the Identity is configured to use:
•
No authentication surrogates
•
IP addresses as authentication surrogates
•
Cookies as authentication surrogates with transparent requests
•
Cookies as authentication surrogates with explicit requests and credential encryption is enabled
shows how the Web Proxy evaluates a client request against the Identity groups
when the Identity is configured to use cookies as the authentication surrogates, credential encryption is
enabled, and the request is explicitly forwarded.
enabled, and the request is explicitly forwarded.