Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2509
Views
0
Helpful
2
Replies

WSA SSO using NTLM

rmujeeb81
Level 1
Level 1

‎02-18-2014 11:50 AM

Hi All,

I am deploying WSA S170 for a customer in explicit forward mode and I want to integrate the WSA with AD using NTLM authentication to achieve single sign on (SSO). However I am facing pronlem in configuring authentication realem in "Active Directory Account" sub section of NTLM realem. Could you please guide about the steps required for this ?

What should I put in the location tab and which AD acccount I should put when it prompts for username/password after clicking "join domain" ?

Thanks

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎02-18-2014 12:03 PM

That wants an account that has access to add machines to the domain.

0 Helpful

Michael Hautekeete
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎02-19-2014 06:45 AM

The location field will determine where the WSA creates its machine account in AD when you join the WSA to the domain. If you want the machine account in a different directory than the default Computers then you will update this path ensuring the names are typed in to match all spaces and case.

The account it is asking you to use needs to be a domain admin account that has privileges to add machine accounts.

One other thing to note when setting up the WSA to support SSO is that you will need to do one of the following for IE/Chrome/Safari;

     1. In the GUI > Network > Authentication > edit global settings > redirect hostname you will need to configure the short hostname/NETBIOS name of the WSA ( if the FQDN is ironport.cisco.com, then the short hostname will be ironport. This will also need to be resolvable in DNS.)

     2. Or you can use the FQDN in the redirect hostname, but this will require that the FQDN of the WSA is added to the intranet sites list under the security tab in IE > tools > internet options.

For Firefox you will need to follow these steps;

Firefox is not sending authentication credentials transparently. Internet Explorer is working correctly with transparent authentication.

Solution:

Some versions of Fire Fox do not automatically trust all servers, to send transparent credentials to. The newest versions appear to be having the problem.

You will need to manually add the WSA transparent authentication redirection hostname into the trusted URLs in Fire Fox. This value can be found in WSA GUI -> Network -> Authentication -> “Redirect Hostname”

1. Open Firefox and type “about:config” in the address bar. (without the quotes)

2. In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris”

3. Double click the name of the preference that we just searched for

4. Enter the Transparent Authentication Redirect Hostname

Hope this helps.

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

0 Helpful
Customers Also Viewed These Support Documents