Client authentication without specifying the AD domain?

Stafford Rau · ‎11-23-2011

I'm hoping this will be a simple enough question.

We have a pair of Ironport S370s managed by an M670 for web content filtering and reporting. We have "Use Basic or NTLMSSP" for the authentication scheme, and users who use IE as their browser are being transparently authenticated as expected.

For non-Windows clients, or users who use anything other than IE, when they get the authentication popup, they have to enter DOMAIN\username and their AD password for authentication to work. Is there a way to configure authentication so that they only need to enter their username and password, without prefixing the Active Directory DOMAIN\?

Thanks much,

--Stafford

Jeffrey Ness · ‎05-07-2012

Did you ever find a resolution to this? I am having an issue with Basic authentication for HTTPS sites and users having to prefix their username with the domain name (even in Internet Explorer).

Ken Stieers · ‎05-07-2012

There is another post here, they fixed it by just going with NTLMSSP.

Or you could go to 7.5, and deploy the AD Agent, which gets the login info from AD security logs...

https://supportforums.cisco.com/thread/2134087

Jeffrey Ness · ‎05-08-2012

I was able to get this to work on Basic only by selecting only the Active Directory realm in the Identity (which btw wipes out {understandably} any Users/Groups defined under the identity in the Access Policies) and not using the syntax domain\username in my list of users under the Access Policy's Identity settings (and just using username or groups).

I'm waiting for some information from support on the AD Agent to see if it would work in our scenario (generic PC users), but 7.5 got pulled due to some issues until they can be fixed in an unscheduled release 7.5.1.