Cisco Cisco Web Security Appliance S170 Guida Utente

LDAP servers do not support NTLMSSP. Some client applications, such as Internet Explorer, always 
choose NTLMSSP when given a choice between NTLMSSP and Basic. When all of the following 
conditions are true, the user will fail authentication:

The user only exists in the LDAP realm.

The Identity uses a sequence that contains both LDAP and NTLM realms.

The Identity uses the “Basic or NTLMSSP” authentication scheme.

A user sends a request from an application that chooses NTLMSSP over Basic.

Reconfigure the identity or the authentication realm or the application such that at least one of the above 
conditions will be false. 

LDAP authentication fails when all of the following conditions are true:

The LDAP authentication realm uses an Active Directory server.

The Active Directory server uses an LDAP referral to another authentication server. 

The referred authentication server is unavailable to the Web Security appliance.

Workarounds:

Specify the Global Catalog server (default port is 3268) in the Active Directory forest when you 
configure the LDAP authentication realm in the appliance, 

Use the 

advancedproxyconfig > authentication

 CLI command to disable LDAP referrals. LDAP 

referrals are disabled by default. 

AsyncOS for Web only supports 7-bit ASCII characters for passwords when using the Basic 
authentication scheme. Basic authentication fails when the password contains characters that are not 
7-bit ASCII.