It's been a little while since I deployed a WSA and I see a new tool, the Active Directoy Agent. I understand from the docs it's used to get usernames from AD for the current logged on user when using NTLM authentication for transparent auth.
My question is why?!
When I last set up a WSA with NTLM for transparent auth we didn't have to use the Agent. NTLM revealed the username as part of what it does and we could use that to bind sessions with access policies, etc.
Yet the docs say:
"Create an NTLM authentication realm and enable transparent user identification.
In addition, you must deploy a separate utility called the Cisco Active Directory Agent (AD Agent). "
So, why is that? What does the agent get me that I didn't use to get? Do I really have to use it?
No you don't have to use it. It makes a few things work better, namely internet apps that do not support authentication can be authenticated before the app starts using AD. We have a couple of apps that without the ADAgent, the user has to hit an external web page first, then the app will work. Also if you're running windows, but the browser of choice can't do AD integrated auth, this would address the issue..
The ADAgent is the same app as used for the ASA "Identity Firewall" features, you can use the same install...
Meet the Authors Event - CCIE Security in a Remote and Cloud Driven Network: SASE and Beyond
(Live event – Thursday, 29th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 29th, April 2021 at 10...
Application Protection, Availability & Security
Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business.
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...