Cisco Cisco Web Security Appliance S160 Guía Del Usuario
5-14
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Step 9
(Optional) Click Start Test. This will test the settings you have entered, ensuring they are correct before
real users use them to authenticate. For details on the testing performed, see
real users use them to authenticate. For details on the testing performed, see
•Create additional NTLM
realms to authenticate users in domains that are not trusted by existing NTLM realms., page 5-21
.
Step 10
Troubleshoot any issues found during testing. See
Step 11
Submit and commit your changes.
What to Do Next
•
Create an Identification Profile that uses the Kerberos authentication scheme.
How to Create an Active Directory Authentication Realm (NTLMSSP and Basic)
Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic)
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
If you plan to use “domain” as the NTLM security mode, use only nested Active Directory groups.
If Active Directory groups are not nested, use the default value, “ads”. See
If Active Directory groups are not nested, use the default value, “ads”. See
the Command Line Interface appendix of this guide.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
•
If the Web Security appliance is managed by a Security Management appliance, be prepared to
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
•
Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.
•
For NTLMSSP, single sign on (SSO) can be configured on client browsers. See
About Using Multiple NTLM Realms and Domains
The following rules apply in regard to using multiple NTLM realms and domains:
•
You can create up to 10 NTLM authentication realms.
•
The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another
NTLM realm.
NTLM realm.
•
Each NTLM realm can join one Active Directory domain only but can authenticate users from any
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
•
Create additional NTLM realms to authenticate users in domains that are not trusted by existing
NTLM realms.
NTLM realms.