ASA - SSL/VPN auto signon

Unanswered Question
Apr 10th, 2008

ASA 5510 v8.0(3)

I've got our asa SSL/VPN setup with an AAA server (using ldap) and users can login just fine.

The only thing we have it configured for is to use the rdp plugin. We got a couple of bookmarks setup that send the users to internal windows 2003 terminal servers. That works fine.

Now, I'm trying to get the auto signon feature to work properly. (we don't have siteminder or the SAML profile) If I understand this right, I don't need those two thirdparty features to get this working. Is this correct?

All I've done is add the follwing commands:

webvpn

enable outside

enable inside

tunnel-group-list enable

auto-signon allow ip 10.10.1.0 255.255.255.0 auth-type ntlm

According to the ASA 8.0 Congfiguration guide, that should do it. But, when access one of our bookmarks, it connects just fine, but still prompts for the username and password. I've configured the group policy to inherit the auto sign settings (and pretty much everything else).

Can someone maybe recommend something I may be overlooking here? Do I need to configure something further on my terminal server that accepts this NTLM request?

------------------

A little more info: When I don't enable the auto signon, the rdp plugin works just fine and I can easily get the sign on screen to my terminal server. However, when I enable anything in the auto signon, the rdp client launches, but it stays as a tiny little box in center of the screen and it'll eventually timeout and close. This little tiny box isn't expandable either. I've tried degugs, but don't see anything. No errors on the terminal server itself either.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsivulka Wed, 04/16/2008 - 08:54

You can do the Auto Sign-on through Smart Tunnel. While the smart tunnel now allows Java applet to work for some application, single sign on no longer works for it. Try creating a bookmark for the application and enable the ST option. This is a Smart Tunnel limitation (auto-signon does not work with it).

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008017b2a4.shtml

Actions

This Discussion