Cisco Cisco Web Security Appliance S170 Guía Del Usuario
A-3
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Authentication Problems
•
The user only exists in the LDAP realm.
•
The Identification Profile uses a sequence that contains both LDAP and NTLM realms.
•
The Identification Profile uses the “Basic or NTLMSSP” authentication scheme.
•
A user sends a request from an application that chooses NTLMSSP over Basic.
Reconfigure the Identification Profile or the authentication realm or the application such that at least one
of the above conditions will be false.
of the above conditions will be false.
LDAP Authentication Fails due to LDAP Referral
LDAP authentication fails when all of the following conditions are true:
•
The LDAP authentication realm uses an Active Directory server.
•
The Active Directory server uses an LDAP referral to another authentication server.
•
The referred authentication server is unavailable to the Web Security appliance.
Workarounds:
•
Specify the Global Catalog server (default port is 3268) in the Active Directory forest when you
configure the LDAP authentication realm in the appliance,
configure the LDAP authentication realm in the appliance,
•
Use the
advancedproxyconfig > authentication
CLI command to disable LDAP referrals. LDAP
referrals are disabled by default.
Basic Authentication Problems
•
Related Problems
•
Basic Authentication Fails
AsyncOS for Web only supports 7-bit ASCII characters for passphrases when using the Basic
authentication scheme. Basic authentication fails when the passphrase contains characters that are not
7-bit ASCII.
authentication scheme. Basic authentication fails when the passphrase contains characters that are not
7-bit ASCII.
Single Sign-On Problems
•
Users Erroneously Prompted for Credentials
NTLM authentication does not work in some cases when the Web Security appliance is connected to a
WCCP v2 capable device. When a user makes a request with a highly locked down version of Internet
Explorer that does not do transparent NTLM authentication correctly and the appliance is connected to
a WCCP v2 capable device, the browser defaults to Basic authentication. This results in users getting
prompted for their authentication credentials when they should not get prompted.
WCCP v2 capable device. When a user makes a request with a highly locked down version of Internet
Explorer that does not do transparent NTLM authentication correctly and the appliance is connected to
a WCCP v2 capable device, the browser defaults to Basic authentication. This results in users getting
prompted for their authentication credentials when they should not get prompted.
Workaround