02-18-2014 11:50 AM
Hi All,
I am deploying WSA S170 for a customer in explicit forward mode and I want to integrate the WSA with AD using NTLM authentication to achieve single sign on (SSO). However I am facing pronlem in configuring authentication realem in "Active Directory Account" sub section of NTLM realem. Could you please guide about the steps required for this ?
What should I put in the location tab and which AD acccount I should put when it prompts for username/password after clicking "join domain" ?
Thanks
02-18-2014 12:03 PM
That wants an account that has access to add machines to the domain.
02-19-2014 06:45 AM
The location field will determine where the WSA creates its machine account in AD when you join the WSA to the domain. If you want the machine account in a different directory than the default Computers then you will update this path ensuring the names are typed in to match all spaces and case.
The account it is asking you to use needs to be a domain admin account that has privileges to add machine accounts.
One other thing to note when setting up the WSA to support SSO is that you will need to do one of the following for IE/Chrome/Safari;
1. In the GUI > Network > Authentication > edit global settings > redirect hostname you will need to configure the short hostname/NETBIOS name of the WSA ( if the FQDN is ironport.cisco.com, then the short hostname will be ironport. This will also need to be resolvable in DNS.)
2. Or you can use the FQDN in the redirect hostname, but this will require that the FQDN of the WSA is added to the intranet sites list under the security tab in IE > tools > internet options.
For Firefox you will need to follow these steps;
Firefox is not sending authentication credentials transparently. Internet Explorer is working correctly with transparent authentication.
Solution:
Some versions of Fire Fox do not automatically trust all servers, to send transparent credentials to. The newest versions appear to be having the problem.
You will need to manually add the WSA transparent authentication redirection hostname into the trusted URLs in Fire Fox. This value can be found in WSA GUI -> Network -> Authentication -> “Redirect Hostname”
1. Open Firefox and type “about:config” in the address bar. (without the quotes)
2. In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris”
3. Double click the name of the preference that we just searched for
4. Enter the Transparent Authentication Redirect Hostname
Hope this helps.
Best Regards,
Michael Hautekeete
Customer Support Engineer
Cisco Content Security - Web Security Appliance
http://www.cisco.com/en/US/products/ps11169/serv_group_home.html
https://supportforums.cisco.com/community/netpro/security/web
https://supportforums.cisco.com/community/feeds?community=2091
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide