How do I properly set up NTLM with SSO (credentials sent transparently)?
PDF(7.8 KB) View with Adobe Reader on a variety of devices
Updated:July 15, 2014
Symptoms: The browser prompts for credentials when NTLM authentication is used.
Environment: Cisco Web Security Appliance (WSA), all versions of AsyncOS
Several factors might affect whether the client sends its credentials automatically (SSO - Single Sign On), or prompts the end user to manually enter their credentials. Verify the following items when attempting to implement NTLM with SSO:
WSA Authentication Configuration:
Verify that the WSA is set up to use NTLMSSP and not NTLM Basic only
This setting can be found on the GUI under Web Security Manager > Identities page. Edit the appropriate Identity and then check the Define Members by Authentication > Authentication Schemes setting.
Select one of the following options:
Use Basic or NTLMSSP
NTLMSSP enables the functionality for the client to send the credentials securely and transparently to the web proxy.
NTLM Basic allows the client to send the username and password in plain text when prompted for the credentials.
The client chooses the best available method when the Use Basic or NTLMSSP option is selected (recommended). If the client supports NTLMSSP, it will use this method, and all other browsers will use Basic. This allows for maximum compatibility.
If the client does not trust the WSA, it will not send it's credentials transparently. The following are guidelines to help troubleshoot environments where the client does not trust the WSA.
The client does not trust the authentication redirection URL (transparent deployments only)
In a transparent deployment, the WSA must redirect the client to itself in order to perform the authentication. The client may or may not trust this redirected location.
By default, the WSA redirects to the FQDN of the P1 (or the M1 interface if it is used for proxy data). Since this is a FQDN, Internet Explorer will not trust it, as it believes this is a resource outside of its network.
There are two ways to make Internet Explorer trust the WSA:
Add the WSA interface FQDN to the trusted sites. Choose Tools > Internet Options > Security > Trusted Sites and click the Sites button.
Note: This configuration must be changed on every client.
Change the redirection URL that the WSA uses to be a DNS resolvable, single-word hostname.
This can be done through the web interface. Please login to your WSA as admin and navigate to Network > Authentication. Then click on "Edit Global Settings ..." and modify "Transparent Authentication Redirect Hostname"
If the WSA cannot resolve this hostname using DNS, alert messages for configuration errors will appear. It is recommended that you use the DNSCONFIG > localhosts (Note: 'localhosts' is a hidden command) command and add this hostname to resolve to the WSA interface used for proxy data.
If your clients cannot DNS resolve this hostname, your clients will not be able to proxy.