I am deploying WSA S170 for a customer in explicit forward mode and I want to integrate the WSA with AD using NTLM authentication to achieve single sign on (SSO). However I am facing pronlem in configuring authentication realem in "Active Directory Account" sub section of NTLM realem. Could you please guide about the steps required for this ?
What should I put in the location tab and which AD acccount I should put when it prompts for username/password after clicking "join domain" ?
The location field will determine where the WSA creates its machine account in AD when you join the WSA to the domain. If you want the machine account in a different directory than the default Computers then you will update this path ensuring the names are typed in to match all spaces and case.
The account it is asking you to use needs to be a domain admin account that has privileges to add machine accounts.
One other thing to note when setting up the WSA to support SSO is that you will need to do one of the following for IE/Chrome/Safari;
1. In the GUI > Network > Authentication > edit global settings > redirect hostname you will need to configure the short hostname/NETBIOS name of the WSA ( if the FQDN is ironport.cisco.com, then the short hostname will be ironport. This will also need to be resolvable in DNS.)
2. Or you can use the FQDN in the redirect hostname, but this will require that the FQDN of the WSA is added to the intranet sites list under the security tab in IE > tools > internet options.
For Firefox you will need to follow these steps;
Firefox is not sending authentication credentials transparently. Internet Explorer is working correctly with transparent authentication.
Some versions of Fire Fox do not automatically trust all servers, to send transparent credentials to. The newest versions appear to be having the problem.
You will need to manually add the WSA transparent authentication redirection hostname into the trusted URLs in Fire Fox. This value can be found in WSA GUI -> Network -> Authentication -> “Redirect Hostname”
1. Open Firefox and type “about:config” in the address bar. (without the quotes)
2. In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris”
3. Double click the name of the preference that we just searched for
4. Enter the Transparent Authentication Redirect Hostname
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...