Re: NTLM SSP will not authenticate.

mhorany_ironport · ‎07-07-2008

Ok...I must be doing something horribly wrong.

2 things I can't seem to accomplish.

1. Getting rid of Authentication pop-ups in a browser for a user logged into the domain.

2. Even if I try to authenticate, it won't let me.

My NTLM realm looks like this, running ASyncOS 5.1.2 S650

Active Directory Domain = DOMAIN.WFISD.NET
NetBIOS Domain = DOMAIN

Told the ironport to create it's user account webgate$ in DOMAIN/Domain Controllers

However, in an attempt to troubleshoot, I have created the webgate$ account in various other places by rejoining the ironport to our domain.

The NTLM test works fine, but every time we open a brower it prompts for credentials. LDAP works great, but I am unable to authenticate at all using NTLM SSP. I have added all the domain groups from the directory lookup in the web policy, and I have also tried entering single usernames to see if the authentication works. All to no avail.

Please help.

THanks in advance.

jowolfer · ‎07-08-2008

How are your clients connecting to the proxy? Are they explicitly configured to used the WSA or transparently redirected. This will make a big difference as to why transparent credentials are not working.

Also, I highly recommend upgrading to the latest 5.2 version of the WSA, as the authentication code was completely changed and made much better.

When you are prompted for credentials, they are never accepted? Are you entering the domain in with the credentials? The domain is case sensitive as well. It is typically in all CAPS.

mhorany_ironport · ‎07-09-2008

To answer your questions.

Proxy mode on the WSA is set to transparent. I have also put the DNS name of the WSA in it's config file as the prox.etc.transparentauthserver value. The clients are set to specifically set to use the proxy DNS name in their browser.

Have tried adding a trust in IE7 and Firefox to no avail.

I am able to enter my credentials after all. That was an issue with our AD and Edir. not syncronizing. Got that fixed.

As far as I know I am at the latest ASyncOS version 5.2.1-052

Thanks.

angfeglandagan · ‎07-18-2008

Hi,
THe latest is AsyncOS 5.5.2-030 , i tried configuring ntlmssp with no problems.

I redirected the internal proxy to point to ironport with no problems.

do you have screen captures when you do test the authentication query?

mhorany_ironport · ‎07-18-2008

I can get you some screen shot and post them on here.

I'm going to attempt the upgrade first. For some reason I couldn't see a upgrade option via the GUI, but I can see 5.5.2 through the CLI.

I'll post back.

NTLM SSP will not authenticate.

ThousandEyes Page Load test: NTLM communication example

NOTE: Transparent NTLM

Controller WLAN authenticate user with portail

SD-WAN: Self Service Portal (SSP) での Cisco SD-WAN クラウドコントローラー構築

CWS Tunnel Connector on ISR4K with NTLM authentication