Cisco Cisco Web Security Appliance S170 사용자 가이드

You define the authentication scheme for each Identity group, not at each realm 
or sequence. That means you can use the same NTLM realm or a sequence that 
contains an NTLM realm and use it in Identity groups that use either the 
NTLMSSP, Basic, or “Basic or NTLMSSP” authentication schemes.

The Web Proxy communicates which scheme(s) it supports to the client 
application at the beginning of a transaction. The Identity group currently in use 
determines which scheme(s) it supports. When the Web Proxy informs the client 
application that it supports both Basic and NTLMSSP, the client application 
chooses which scheme to use in the transaction.

Some client applications, such as Internet Explorer, always choose NTLMSSP 
when given a choice between NTLMSSP and Basic. This might cause a user to 
not pass authentication when all of the following conditions are true:

The Identity group uses a sequence that contains both LDAP and NTLM 
realms.

The Identity group uses the “Basic or NTLMSSP” authentication scheme.

A user sends a request from an application that chooses NTLMSSP over 
Basic.

The user only exists in the LDAP realm.

When this happens, the Web Proxy uses the NTLMSSP scheme to authenticate 
users in this Identity group because the client requests it. However, LDAP servers 
do not support NTLMSSP, so no user that exists only in the specified LDAP 
server(s) can pass authentication in this Identity group.

Therefore, when you need to use an authentication sequence that contains both 
LDAP and NTLM realms, consider the client applications that might try to access 
a URL when you configure the authentication scheme for an Identity group. For 
example, you might want to choose Basic as the only authentication scheme for 
an Identity group in some cases.