SSO

grwrobel_ironport · ‎03-26-2008

Hi

Is there any way to integrate the windows login credentials with authentication feature on Ironport to make it SSO?

Regards

Greg

staylor_ironport · ‎03-26-2008

One way to do it is to use an LDAP server for authentication and by using that we can perform NTLM authentication which is SSO to the user (No boxes prompted) if you use basic LDAP then you will get prompted for username/password

jowolfer · ‎03-27-2008

Greg + MonkeyMadness,

The information in MonkeyMadness' post is not actually correct. NTLM and LDAP are different authentication mechanisms. It is true that you can use NTLM (SSP) to perform SSO. Please let me know if you need more details on authentication

More details below:

There are two stages in the authentication process:

Client to WSA and WSA to the authentication server.

All of the supported possibilities are listed below: (for forum munches format, so I'm color coded the options)
------------------------------------------
Client -> WSA WSA -> Auth server server type
Basic auth LDAP auth LDAP server
Basic auth LDAP auth AD server LDAP
Basic auth NTLM Basic aut AD server (NTLM Basic)
NTLM auth NTLMSPP auth AD server (NTLMSSP)
------------------------------------------
Note: NTLMSSP is commonly referred to as just NTLM

The noteworthy difference between Basic authentication and NTLM authentication are below:

Client Experience
------------------------------------------
Basic
The Client will always be prompted for credentials. After credentials have been entered, browsers will typically offer a check box to remember the credentials provided. Any time the browser is closed, the client will prompt again or send the previously remembered credentials again.

NTLM
The client will transparently authenticate using its Windows logon credentials. This is commonly referred to as SSO - Single Sign On.

The only cases in which the client will prompt for credentials is if the Windows credentials first fail (this will occur if the client is logged in locally to the computer – not to the domain used for authentication) or if the client does not trust the WSA.
------------------------------------------

Security
------------------------------------------
Basic
Credentials are sent insecurely using plain text. A simple packet capture between the client and the WSA will reveal the user's username AND password.

NTLM
Credentials are sent securely via a 3 way handshake (digest style authentication). The password is NEVER sent across the wire.

The NTLM process looks as such:
1. The Client sends an NTLM Negotiate packet. This tells the WSA that the client intends to do NTLM authentication

2. The WSA sends an NTLM Challenge string to the client.

3. The client uses an algorithm based on its password to modify the challenge and sends the challenge response to the WSA. The AD server then verifies that the client is using the correct password based on whether or not it modified the challenge string appropriately.
------------------------------------------
Note: NTLM Basic utilizes Basic authentication from the client and thus will have the same properties.

Microsoft Active Directory is a modified LDAP at the core and will support both standard LDAP and NTLM authentication. Most customers will desire to use NTLM over LDAP, due to the client security and experience downsides when using basic authentication.

slizarraga · ‎03-12-2012

Srs,

I have 2 questions.

Where/how do I configure the Client-WSA authentication? I know that the WSA-Auth Server configuration is in the Identitie configuration, but not where the client-wsa conf. is.

Have you ever had trouble with that configuration?

Some weeks ago I started have high response time (up to 27 000 ms!), when users started logging, that didn´t happened at night. Now I have disabled the authentication..

Did you experience or know about something like that?

Thanks for your help!

Sergio