Single sign-on in a PIX/ACS - Win Active Directory environment.
My company is trying to reduce the number of user IDs and passwords that a typical user need to access our applications to hopefully one. We refer to this as single sign-on. The idea is to have the user authenticate once at initial Windows sign-on to the Windows/Kerberos domain controller and have Kerberos issue a certificate or token to the user. Once the user has been authenticated a utility running on the PC would respond to any further ID/password requests using the certificate/token and not prompt the user for authentication again.
The challenge seems to be getting my PIX firewall and the ACS server to participate correctly in the process. For access control and accounting purposes the PIX is setup to authenticate HTTP users through the ACS server and the Windows domain controller. In the future when the PIX asks for authentication, the response will be something other than an ID/password.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...