Cisco Cisco Web Security Appliance S170 사용자 가이드

The NT Lan Manager (NTLM) authenticates users with an encrypted challenge-response sequence that 
occurs between the appliance and a Microsoft Windows domain controller. The NTLM 
challenge-response handshake occurs when a web browser attempts to connect to the appliance and 
before data is delivered. 

When you configure an NTLM authentication realm, you do not specify the authentication scheme. 
Instead, you choose the scheme when you use the realm in an Identity group. This allows you to choose 
different schemes for different Identities. When you create or edit the Identity group, you can choose 
one of the following schemes:

Use NTLMSSP

Use Basic or NTLMSSP

Use Basic

AsyncOS for Web only supports 7-bit ASCII characters for passwords when using the Basic 
authentication scheme. Basic authentication fails when the password contains characters that are not 
7-bit ASCII.

An NTLM realm is configured to join one Active Directory domain. However, the Web Proxy can also 
authenticate users against domains in either the same or a different forest when the following conditions 
exist:

Attribute that Contains 
the Group Name

When the group membership attribute is a DN, this specifies the attribute that 
can be used as group name in policy group configurations.

Choose one of the following values:

cn. A unique identifier in the LDAP directory that specifies the name of 
a group.

custom. A custom identifier such as 

FinanceGroup

.

Query String to 
Determine if Object is 
a Group

Choose an LDAP search filter that determines if an LDAP object represents a 
user group.

Choose one of the following values:

objectclass=groupofnames 

objectclass=groupofuniquenames 

objectclass=group 

custom. A custom filter such as 

objectclass=person

.

Note: The query defines the set of authentication groups which can be used 
in Web Security Manager policies.