Cisco Cisco Web Security Appliance S680 Guía Del Usuario
Chapter 20 Authentication
Authentication Overview
20-4
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
requires Basic authentication, but the appliance requires NTLMSSP
authentication, then the appliance can never successfully pass Basic credentials to
the upstream proxy. This is due to limitations in authentication protocols.
authentication, then the appliance can never successfully pass Basic credentials to
the upstream proxy. This is due to limitations in authentication protocols.
Authenticating Users
When users access the web through the Web Security appliance, they might get
prompted to enter a user name and password. The Web Proxy requires
authentication credentials for some users depending on the configured Identity
and Access Policy groups. Users should enter the user name and password of the
credentials recognized by the organization’s authentication server.
prompted to enter a user name and password. The Web Proxy requires
authentication credentials for some users depending on the configured Identity
and Access Policy groups. Users should enter the user name and password of the
credentials recognized by the organization’s authentication server.
When the Web Proxy uses NTLMSSP authentication with an NTLM
authentication realm, users are typically not prompted to enter a user name and
password if single sign-on is configured correctly. However, if users are prompted
for authentication, they must type the name of their Windows domain before their
user name. For example, if user jsmith is on Windows domain MyDomain, then
the user should type the following text in the user name field:
authentication realm, users are typically not prompted to enter a user name and
password if single sign-on is configured correctly. However, if users are prompted
for authentication, they must type the name of their Windows domain before their
user name. For example, if user jsmith is on Windows domain MyDomain, then
the user should type the following text in the user name field:
MyDomain\jsmith
However, if the Web Proxy uses Basic authentication for an NTLM authentication
realm, then entering the Windows domain is optional. If the user does not enter
the Windows domain, then the Web Proxy prepends the default Windows domain.
realm, then entering the Windows domain is optional. If the user does not enter
the Windows domain, then the Web Proxy prepends the default Windows domain.
Note
When the Web Proxy uses authentication with an LDAP authentication realm,
ensure users do not enter the Windows domain name.
ensure users do not enter the Windows domain name.
Working with Failed Authentication
Sometimes users are blocked from the web due to authentication failure. The
following list describes reasons for authentication failure and remedial actions
you can take:
following list describes reasons for authentication failure and remedial actions
you can take:
•
Client application cannot perform authentication. Some clients cannot
perform authentication or cannot perform the type of authentication that is
required. If a client application causes authentication to fail, you can define
an Identity policy based on the user agent and exclude it from requiring
perform authentication or cannot perform the type of authentication that is
required. If a client application causes authentication to fail, you can define
an Identity policy based on the user agent and exclude it from requiring