Cisco Cisco Web Security Appliance S170 사용자 가이드
21-39
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
Supported Authentication Characters
AsyncOS only creates an Active Directory computer account when you edit the authentication realm
Active Directory information or when the appliance reboots.
Active Directory information or when the appliance reboots.
Note
To successfully join the Active Directory domain, the time difference between the Web Security
appliance and the Active Directory server should be less than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server. When you use
Network Time Protocol (NTP) to specify the current time on the Web Security appliance, remember that
the default time server is time.ironport.com. This may affect the time difference between the appliance
and the Active Directory server.
appliance and the Active Directory server should be less than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server. When you use
Network Time Protocol (NTP) to specify the current time on the Web Security appliance, remember that
the default time server is time.ironport.com. This may affect the time difference between the appliance
and the Active Directory server.
Some Active Directory environments automatically delete computer objects at particular intervals for
accounts that appear in active in order to clean up old computer objects. However, AsyncOS does not
automatically change the password for the computer account it creates in an Active Directory server, so
the computer account may appear inactive over time. Therefore, if the Active Directory environment
automatically deletes computer objects at particular intervals, make sure the Web Security appliance
computer account is created in a container that is exempt from this cleanup process.
accounts that appear in active in order to clean up old computer objects. However, AsyncOS does not
automatically change the password for the computer account it creates in an Active Directory server, so
the computer account may appear inactive over time. Therefore, if the Active Directory environment
automatically deletes computer objects at particular intervals, make sure the Web Security appliance
computer account is created in a container that is exempt from this cleanup process.
Supported Authentication Characters
This section lists the characters the Web Security appliance supports when it communicates with LDAP
and Active Directory servers. For authentication to work properly, verify that your authentication servers
only use the supported characters listed in this section.
and Active Directory servers. For authentication to work properly, verify that your authentication servers
only use the supported characters listed in this section.
For example, according to
, the appliance can validate users with the following Active
Directory user name:
jsmith#123
And according to
, the appliance cannot validate users with the following Active Directory
user name:
jsmith+
Active Directory Server Supported Characters
lists the characters the Web Security appliance supports for the User Name field for Active
Directory servers.
Note
The Web Security appliance supports the percent ( % ) character for end users browsing the web.
However, you cannot use a user name with the percent ( %) character to join the Active Directory domain
when you create an NTLM authentication realm.
However, you cannot use a user name with the percent ( %) character to join the Active Directory domain
when you create an NTLM authentication realm.
Table 21-16
Supported Active Directory Server Characters — User Name Field
Supported Characters
Characters Not Supported
A...Z a...z
0 1 2 3 4 5 6 7 8 9
` ~ ! # $ % ^ & ( ) _ - { } ' . @
space
/ \ [ ] : ; | = , + * ? < > "