Cisco Cisco Web Security Appliance S170 사용자 가이드

The user only exists in the LDAP realm.

The Identification Profile uses a sequence that contains both LDAP and NTLM realms.

The Identification Profile uses the “Basic or NTLMSSP” authentication scheme.

A user sends a request from an application that chooses NTLMSSP over Basic.

Reconfigure the Identification Profile or the authentication realm or the application such that at least one 
of the above conditions will be false. 

LDAP authentication fails when all of the following conditions are true:

The LDAP authentication realm uses an Active Directory server.

The Active Directory server uses an LDAP referral to another authentication server. 

The referred authentication server is unavailable to the Web Security appliance.

Workarounds:

Specify the Global Catalog server (default port is 3268) in the Active Directory forest when you 
configure the LDAP authentication realm in the appliance, 

Use the 

advancedproxyconfig > authentication

 CLI command to disable LDAP referrals. LDAP 

referrals are disabled by default. 

AsyncOS for Web only supports 7-bit ASCII characters for passphrases when using the Basic 
authentication scheme. Basic authentication fails when the passphrase contains characters that are not 
7-bit ASCII.

NTLM authentication does not work in some cases when the Web Security appliance is connected to a 
WCCP v2 capable device. When a user makes a request with a highly locked down version of Internet 
Explorer that does not do transparent NTLM authentication correctly and the appliance is connected to 
a WCCP v2 capable device, the browser defaults to Basic authentication. This results in users getting 
prompted for their authentication credentials when they should not get prompted.

Workaround