Cisco Cisco Web Security Appliance S170 사용자 가이드
396
I R O N P O R T A S Y N C O S 6 . 5 F O R W E B U S E R G U I D E
N T L M A U T H E N T I C A T I O N
The NT Lan Manager (NTLM) authenticates users with an encrypted challenge-response
sequence that occurs between the appliance and a Microsoft Windows domain controller.
The NTLM challenge-response handshake occurs when a web browser attempts to connect to
the appliance and before data is delivered.
sequence that occurs between the appliance and a Microsoft Windows domain controller.
The NTLM challenge-response handshake occurs when a web browser attempts to connect to
the appliance and before data is delivered.
When you configure an NTLM authentication realm, you do not specify the authentication
scheme. Instead, you choose the scheme at the Access Policy group level when you configure
the policy member definition. This allows you to choose different schemes for different policy
groups. When you create or edit the policy group, you can choose one of the following
schemes:
scheme. Instead, you choose the scheme at the Access Policy group level when you configure
the policy member definition. This allows you to choose different schemes for different policy
groups. When you create or edit the policy group, you can choose one of the following
schemes:
• Use NTLMSSP
• Use Basic or NTLMSSP
• Use Basic
Note — AsyncOS for Web only supports 7-bit ASCII characters for passwords when using the
Basic authentication scheme. Basic authentication fails when the password contains
characters that are not 7-bit ASCII.
Basic authentication scheme. Basic authentication fails when the password contains
characters that are not 7-bit ASCII.
Working with Multiple Active Directory Domains
AsyncOS allows you to create only one NTLM authentication realm. If your organization has
multiple Active Directory domains, you can authenticate users in all domains if the following
conditions exist:
multiple Active Directory domains, you can authenticate users in all domains if the following
conditions exist:
• All Active Directory domains must exist in a single forest.
• There must be a trust relationship among all domains in the forest.
When you define policy group membership by group name, the web interface only displays
Active Directory groups in the domain where AsyncOS created a computer account when
joining the domain. To create a policy group for users in a different domain in the forest,
manually enter the domain and group name in the web interface.
Active Directory groups in the domain where AsyncOS created a computer account when
joining the domain. To create a policy group for users in a different domain in the forest,
manually enter the domain and group name in the web interface.