Cisco Cisco Web Security Appliance S170 사용자 가이드
H O W A U T H E N T I C A T I O N S C H E M E A F F E C T S I D E N T I T Y G R O U P S
C H A P T E R 7 : I D E N T I T I E S
131
How Authentication Scheme Affects Identity Groups
You define the authentication scheme for each Identity group, not at each realm or sequence.
That means you can use the same NTLM realm or a sequence that contains an NTLM realm
and use it in Identity groups that use either the NTLMSSP, Basic, or “Basic or NTLMSSP”
authentication schemes.
That means you can use the same NTLM realm or a sequence that contains an NTLM realm
and use it in Identity groups that use either the NTLMSSP, Basic, or “Basic or NTLMSSP”
authentication schemes.
The Web Proxy communicates which scheme(s) it supports to the client application at the
beginning of a transaction. The Identity group currently in use determines which scheme(s) it
supports. When the Web Proxy informs the client application that it supports both Basic and
NTLMSSP, the client application chooses which scheme to use in the transaction.
beginning of a transaction. The Identity group currently in use determines which scheme(s) it
supports. When the Web Proxy informs the client application that it supports both Basic and
NTLMSSP, the client application chooses which scheme to use in the transaction.
Some client applications, such as Internet Explorer, always choose NTLMSSP when given a
choice between NTLMSSP and Basic. This might cause a user to not pass authentication when
all of the following conditions are true:
choice between NTLMSSP and Basic. This might cause a user to not pass authentication when
all of the following conditions are true:
• The Identity group uses a sequence that contains both LDAP and NTLM realms.
• The Identity group uses the “Basic or NTLMSSP” authentication scheme.
• A user sends a request from an application that chooses NTLMSSP over Basic.
• The user only exists in the LDAP realm.
When this happens, the Web Proxy uses the NTLMSSP scheme to authenticate users in this
Identity group because the client requests it. However, LDAP servers do not support
NTLMSSP, so no user that exists only in the specified LDAP server(s) can pass authentication
in this Identity group.
Identity group because the client requests it. However, LDAP servers do not support
NTLMSSP, so no user that exists only in the specified LDAP server(s) can pass authentication
in this Identity group.
Therefore, when you need to use an authentication sequence that contains both LDAP and
NTLM realms, consider the client applications that might try to access a URL when you
configure the authentication scheme for an Identity group. For example, you might want to
choose Basic as the only authentication scheme for an Identity group in some cases.
NTLM realms, consider the client applications that might try to access a URL when you
configure the authentication scheme for an Identity group. For example, you might want to
choose Basic as the only authentication scheme for an Identity group in some cases.