Cisco Cisco Web Security Appliance S170 Guía Del Usuario
21-36
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
NTLM Authentication
•
When all Active Directory domains exist in the same forest, there must be a trust relationship among
all domains in the forest.
all domains in the forest.
•
When an Active Directory domain exists in a different forest, the domain that the WSA joins must
have at least a one way trust with the domain where the users belong.
have at least a one way trust with the domain where the users belong.
When you define policy group membership by group name, the web interface only displays Active
Directory groups in the domain where AsyncOS created a computer account when joining the domain.
To create a policy group for users in a different domain, manually enter the domain and group name in
the web interface.
Directory groups in the domain where AsyncOS created a computer account when joining the domain.
To create a policy group for users in a different domain, manually enter the domain and group name in
the web interface.
NTLM Authentication Settings
describes the authentication settings you define when you choose NTLM authentication.
Table 21-15
NTLM Authentication Settings
Setting
Description
Active Directory
Server
Server
Enter the Active Directory server IP address or hostname. You can specify up to
three servers.
three servers.
The hostname must be a fully-qualified domain name. For example,
ntlm.example.com
. An IP address is required only if the DNS servers configured
on the appliance cannot resolve the Active Directory server hostname.
Note: When multiple authentication servers are configured in the realm, the
appliance attempts to authorize with up to three authentication servers before
failing to authorize the transaction within this realm.
appliance attempts to authorize with up to three authentication servers before
failing to authorize the transaction within this realm.
Active Directory
Account
Account
Enter the following Active Directory account information:
•
Active Directory server domain name.
•
NetBIOS domain name. You only need to enter the NetBIOS domain name
if the network uses NetBIOS. This field only appears when the NTLM
security mode is set to “domain” using the
if the network uses NetBIOS. This field only appears when the NTLM
security mode is set to “domain” using the
setntlmsecuritymode
CLI
command.
•
Computer account location.
Note: You must click Join Domain to enter an Active Directory username and
password.
password.
For more information about entering the Active Directory account information,
see
see
Join Domain button
(Active Directory
User)
User)
When you click Join Domain, enter the name and password for the Active
Directory user.
Directory user.
If the appliance and the Active Directory server are in the same domain, any
valid user that is a member of User Domain is allowed.
valid user that is a member of User Domain is allowed.
However, depending on the Active Directory server configuration, this user
might need Domain Admin Group or Enterprise Admin Group credentials. For
example:
might need Domain Admin Group or Enterprise Admin Group credentials. For
example:
•
If the appliance and the Active Directory server are not in the same domain,
the Active Directory user must be a member of the Domain Admin Group.
the Active Directory user must be a member of the Domain Admin Group.
•
If the Active Directory server configuration is a forest, the Active Directory
user must be a member of the Enterprise Admin Group.
user must be a member of the Enterprise Admin Group.