Cisco Cisco Web Security Appliance S170 사용자 가이드

Web Proxy passes the authentication information to the Active Directory server. 
The Active Directory server then verifies that the client used the correct password 
based on whether or not it modified the challenge string appropriately.

If the challenge response passes, the Web Proxy returns the requested web page.

Additional requests on the same TCP connection do not need to be authenticated 
again with the Active Directory server.

 lists advantages and disadvantages of using explicit forward NTLM 

authentication. 

Because the password is not 
transmitted to the authentication 
server, it is more secure

Connection is authenticated, not the 
host or IP address

Achieves true single sign-on in an 
Active Directory environment when 
the client applications are 
configured to trust the Web Security 
appliance

Moderate overhead: each new 
connection needs to be 
re-authenticated

Primarily supported on Windows 
only and with major browsers 
only

Transparent NTLM authentication is similar to transparent Basic authentication 
except that the Web Proxy communicates with clients using NTLMSSP instead of 
Basic. However, with transparent NTLM authentication, the authentication 
credentials are not sent in the clear to the authentication server.

For more information, see 

The advantages and disadvantages of using transparent NTLM authentication are 
the same as those of using transparent Basic authentication except that transparent 
NTLM authentication is better because the password is not sent to the 
authentication server and you can achieve single sign-on when the client