Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WSA SSO using NTLM

Hi All,

I am deploying WSA S170 for a customer in explicit forward mode and I want to integrate the WSA with AD using NTLM authentication to achieve single sign on (SSO). However I am facing pronlem in configuring authentication realem in "Active Directory Account" sub section of NTLM realem. Could you please guide about the steps required for this ?

What should I put in the location tab and which AD acccount I should put when it prompts for username/password after clicking "join domain" ?

Thanks

  • Web Security
2 REPLIES

WSA SSO using NTLM

That wants an account that has access to add machines to the domain.

Cisco Employee

WSA SSO using NTLM

The location field will determine where the WSA creates its machine account in AD when you join the WSA to the domain. If you want the machine account in a different directory than the default Computers then you will update this path ensuring the names are typed in to match all spaces and case.

The account it is asking you to use needs to be a domain admin account that has privileges to add machine accounts.

One other thing to note when setting up the WSA to support SSO is that you will need to do one of the following for IE/Chrome/Safari;

     1. In the GUI > Network > Authentication > edit global settings > redirect hostname you will need to configure the short hostname/NETBIOS name of the WSA ( if the FQDN is ironport.cisco.com, then the short hostname will be ironport. This will also need to be resolvable in DNS.)

     2. Or you can use the FQDN in the redirect hostname, but this will require that the FQDN of the WSA is added to the intranet sites list under the security tab in IE > tools > internet options.

For Firefox you will need to follow these steps;

Firefox is not sending authentication credentials transparently. Internet Explorer is working correctly with transparent authentication.

Solution:

Some versions of Fire Fox do not automatically trust all servers, to send transparent credentials to. The newest versions appear to be having the problem.

You will need to manually add the WSA transparent authentication redirection hostname into the trusted URLs in Fire Fox. This value can be found in WSA GUI -> Network -> Authentication -> “Redirect Hostname”

1. Open Firefox and type “about:config” in the address bar. (without the quotes)

2. In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris”

3. Double click the name of the preference that we just searched for

4. Enter the Transparent Authentication Redirect Hostname

Hope this helps.

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

1194
Views
0
Helpful
2
Replies
This widget could not be displayed.