Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1717
Views
0
Helpful
6
Replies

SSO Authentication

Go to solution
fermendo
Level 1
Level 1

‎02-03-2011 12:50 PM

Hello all,

I have a couple of WSAs working with AD authentication. Machines that are part of the AD domain work fine with SSO. The thing is that machines that are NOT joined to the domain get the prompt for credentials. Is there a way to disable this behavior? The ideal scenario is that if credentials are not obtainded via SSO then, the WSA doesn't ask for them. Is this posible?

Thanks a lot for your help!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jowolfer
Level 1
Level 1

‎02-04-2011 08:01 AM

Fernando,

There is only one way to have the WSA not ask for credentials. This would only work if all of your machines that are not joined into the domain have statically assigned IP address or all belong to specific subnets.

You could create an additional Identity policy above your current one, that states for IP / subnets x, do not authenticate.

The other thing that may work for you is to enable "Guest" policies in your Identity policy.

The computers not joined to domains will still send the credentials automatically the first time. The issue is that since they are sending local credentials instead of domain credentials, they fail and then the user is prompted.

Guest policies make it so if the credentials fail the first time, the WSA will not ask again. It will consider the user a "guest" and then apply any access policies that don't require users / groups.

Hope this helps you setup the WSA!

Cheers!

Josh

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jowolfer
Level 1
Level 1

‎02-04-2011 08:01 AM

Fernando,

There is only one way to have the WSA not ask for credentials. This would only work if all of your machines that are not joined into the domain have statically assigned IP address or all belong to specific subnets.

You could create an additional Identity policy above your current one, that states for IP / subnets x, do not authenticate.

The other thing that may work for you is to enable "Guest" policies in your Identity policy.

The computers not joined to domains will still send the credentials automatically the first time. The issue is that since they are sending local credentials instead of domain credentials, they fail and then the user is prompted.

Guest policies make it so if the credentials fail the first time, the WSA will not ask again. It will consider the user a "guest" and then apply any access policies that don't require users / groups.

Hope this helps you setup the WSA!

Cheers!

Josh

0 Helpful

Go to solution
fermendo
Level 1
Level 1
In response to jowolfer

‎02-08-2011 02:01 PM

Hello Josh,

Thanks for your answer!

The GUEST option worked fine, the only thing is that if WSA is set to explicit mode it works fine, but on transparent the browser needs to trust the WSA in order to achieve real SSO.

Thanks a lot!

Fernando

0 Helpful

Go to solution
keithsauer507
Level 5
Level 5
In response to fermendo

‎03-09-2011 10:22 AM

What do you mean by explicit mode?  I am wondering the same exact thing and I'm hoping

that we can resolve it.

Is it in the Identities for authenticated users where it says Explicit Forward Request checkbox?  It says

Apply same surrogate settings to explicit forward requests.  If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.

Currently we have it checked.


We do have another identity above our "Authenticated Users" called Guests and Kiosks.  In this identity we have IP Addresses and Define Members by Authentication is set to "No Authentication".  However for real guests, we cannot be burdened to see what IP address they were assigned.  Plus we plan to offer wireless with a guest access.  However that will be on another subnet so it will be easy to identify those users.

0 Helpful

Go to solution
jowolfer
Level 1
Level 1
In response to keithsauer507

‎03-09-2011 12:30 PM

Explicit means that the browser has specifically been configured to use the WSA as a proxy. In IE, this is in Tools -> Internet Options -> Connections -> LAN Settings. As opposed to transparent, which is when you redirect the client outbound port 80 traffic to go to the WSA instead of the network gateway / firewall.

0 Helpful

Go to solution
keithsauer507
Level 5
Level 5
In response to jowolfer

‎03-09-2011 12:54 PM

So basically we have it set wrong then?  Because its checked off on our setup.  However we did not tell the browser anything.  In fact some people even use Firefox or Chrome, and I didnt even look to see if there are any adm templates to push out specific settings for them.  Our ASA uses wccp to redirect port 80 traffic to the appliance.

0 Helpful

Go to solution
jowolfer
Level 1
Level 1
In response to keithsauer507

‎03-09-2011 12:58 PM

Since your ASA is redirecting the traffic transparently to the WSA, you don't need to set the browser setting.

The option that you found is just a way to override the standard explicit auth mechanism and use a transparent style of authenticating. This would only effect explicit traffic though, so it's not really relevant to how you have the WSA deployed.

Cheers,

Josh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents