Cisco Cisco Web Security Appliance S690 사용자 가이드

LDAP servers do not support NTLMSSP. Some client applications, such as Internet Explorer, always 
choose NTLMSSP when given a choice between NTLMSSP and Basic. When all of the following 
conditions are true, the user will fail authentication:

The user only exists in the LDAP realm.

The Identification Profile uses a sequence that contains both LDAP and NTLM realms.

The Identification Profile uses the “Basic or NTLMSSP” authentication scheme.

A user sends a request from an application that chooses NTLMSSP over Basic.

Reconfigure the Identification Profile or the authentication realm or the application such that at least one 
of the above conditions will be false. 

LDAP authentication fails when all of the following conditions are true:

The LDAP authentication realm uses an Active Directory server.

The Active Directory server uses an LDAP referral to another authentication server. 

The referred authentication server is unavailable to the Web Security appliance.

Workarounds:

Specify the Global Catalog server (default port is 3268) in the Active Directory forest when you 
configure the LDAP authentication realm in the appliance, 

Use the 

advancedproxyconfig > authentication

 CLI command to disable LDAP referrals. LDAP 

referrals are disabled by default. 

AsyncOS for Web only supports 7-bit ASCII characters for passphrases when using the Basic 
authentication scheme. Basic authentication fails when the passphrase contains characters that are not 
7-bit ASCII.