Cisco Cisco Web Security Appliance S660 Mode D'Emploi
5-14
AsyncOS 8.8 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Troubleshooting Tools
KerbTray or klist (both part of the Windows Server Resources Kit) for viewing and purging a Kerberos
ticket cache.
ticket cache.
for viewing and editing an Active directory. Wireshark is a
packet analyzer you can use for network troubleshooting.
Next Step
•
Create an Identification Profile that uses the Kerberos authentication scheme.
Classifying Users and
Client Software, page 6-3
.
Creating an Active Directory Authentication Realm (NTLMSSP and Basic)
Before You Begin
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
If you plan to use “domain” as the NTLM security mode, use only nested Active Directory groups.
If Active Directory groups are not nested, use the default value, “ads”. See
If Active Directory groups are not nested, use the default value, “ads”. See
the Command Line Interface appendix of this guide.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server. If the Web
Security appliance is managed by a Security Management appliance, be prepared to ensure that
same-named authentication realms on different Web Security appliances have identical properties
defined on each appliance. Be aware that once you commit the new realm, you cannot change a
realm’s authentication protocol.
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server. If the Web
Security appliance is managed by a Security Management appliance, be prepared to ensure that
same-named authentication realms on different Web Security appliances have identical properties
defined on each appliance. Be aware that once you commit the new realm, you cannot change a
realm’s authentication protocol.
•
For NTLMSSP, single sign on (SSO) can be configured on client browsers. See
Using Multiple NTLM Realms and Domains
The following rules apply in regard to using multiple NTLM realms and domains:
•
You can create up to 10 NTLM authentication realms.
•
The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another
NTLM realm.
NTLM realm.
•
Each NTLM realm can join one Active Directory domain only but can authenticate users from any
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
•
Create additional NTLM realms to authenticate users in domains that are not trusted by existing
NTLM realms.
NTLM realms.
Step 1
Choose Network > Authentication.
Step 2
Click Add Realm.
Step 3
Assign a unique name to the authentication realm using only alphanumeric and space characters.
Step 4
Select Active Directory in the Authentication Protocol and Scheme(s) field.
Step 5
Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).
Example:
active.example.com
.