Cisco Cisco Web Security Appliance S680 Guía Del Usuario
7-9
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 7 Identities
Evaluating Identity Group Membership
Understanding How Authentication Scheme Affects Identity
Groups
Groups
You define the authentication scheme for each Identity group, not at each realm
or sequence. That means you can use the same NTLM realm or a sequence that
contains an NTLM realm and use it in Identity groups that use either the
NTLMSSP, Basic, or “Basic or NTLMSSP” authentication schemes.
or sequence. That means you can use the same NTLM realm or a sequence that
contains an NTLM realm and use it in Identity groups that use either the
NTLMSSP, Basic, or “Basic or NTLMSSP” authentication schemes.
The Web Proxy communicates which scheme(s) it supports to the client
application at the beginning of a transaction. The Identity group currently in use
determines which scheme(s) it supports. When the Web Proxy informs the client
application that it supports both Basic and NTLMSSP, the client application
chooses which scheme to use in the transaction.
application at the beginning of a transaction. The Identity group currently in use
determines which scheme(s) it supports. When the Web Proxy informs the client
application that it supports both Basic and NTLMSSP, the client application
chooses which scheme to use in the transaction.
Some client applications, such as Internet Explorer, always choose NTLMSSP
when given a choice between NTLMSSP and Basic. This might cause a user to
not pass authentication when all of the following conditions are true:
when given a choice between NTLMSSP and Basic. This might cause a user to
not pass authentication when all of the following conditions are true:
•
The Identity group uses a sequence that contains both LDAP and NTLM
realms.
realms.
•
The Identity group uses the “Basic or NTLMSSP” authentication scheme.
•
A user sends a request from an application that chooses NTLMSSP over
Basic.
Basic.
•
The user only exists in the LDAP realm.
When this happens, the Web Proxy uses the NTLMSSP scheme to authenticate
users in this Identity group because the client requests it. However, LDAP servers
do not support NTLMSSP, so no user that exists only in the specified LDAP
server(s) can pass authentication in this Identity group.
users in this Identity group because the client requests it. However, LDAP servers
do not support NTLMSSP, so no user that exists only in the specified LDAP
server(s) can pass authentication in this Identity group.
Therefore, when you need to use an authentication sequence that contains both
LDAP and NTLM realms, consider the client applications that might try to access
a URL when you configure the authentication scheme for an Identity group. For
example, you might want to choose Basic as the only authentication scheme for
an Identity group in some cases.
LDAP and NTLM realms, consider the client applications that might try to access
a URL when you configure the authentication scheme for an Identity group. For
example, you might want to choose Basic as the only authentication scheme for
an Identity group in some cases.