cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1923
Views
0
Helpful
6
Replies

SSO Authentication

fermendo
Level 1
Level 1

Hello all,

I have a couple of WSAs working with AD authentication. Machines that are part of the AD domain work fine with SSO. The thing is that machines that are NOT joined to the domain get the prompt for credentials. Is there a way to disable this behavior? The ideal scenario is that if credentials are not obtainded via SSO then, the WSA doesn't ask for them. Is this posible?

Thanks a lot for your help!!

1 Accepted Solution

Accepted Solutions

jowolfer
Level 1
Level 1

Fernando,

There is only one way to have the WSA not ask for credentials. This would only work if all of your machines that are not joined into the domain have statically assigned IP address or all belong to specific subnets.

You could create an additional Identity policy above your current one, that states for IP / subnets x, do not authenticate.

The other thing that may work for you is to enable "Guest" policies in your Identity policy.

The computers not joined to domains will still send the credentials automatically the first time. The issue is that since they are sending local credentials instead of domain credentials, they fail and then the user is prompted.

Guest policies make it so if the credentials fail the first time, the WSA will not ask again. It will consider the user a "guest" and then apply any access policies that don't require users / groups.

Hope this helps you setup the WSA!

Cheers!

Josh

View solution in original post

6 Replies 6

jowolfer
Level 1
Level 1

Fernando,

There is only one way to have the WSA not ask for credentials. This would only work if all of your machines that are not joined into the domain have statically assigned IP address or all belong to specific subnets.

You could create an additional Identity policy above your current one, that states for IP / subnets x, do not authenticate.

The other thing that may work for you is to enable "Guest" policies in your Identity policy.

The computers not joined to domains will still send the credentials automatically the first time. The issue is that since they are sending local credentials instead of domain credentials, they fail and then the user is prompted.

Guest policies make it so if the credentials fail the first time, the WSA will not ask again. It will consider the user a "guest" and then apply any access policies that don't require users / groups.

Hope this helps you setup the WSA!

Cheers!

Josh

Hello Josh,

Thanks for your answer!

The GUEST option worked fine, the only thing is that if WSA is set to explicit mode it works fine, but on transparent the browser needs to trust the WSA in order to achieve real SSO.

Thanks a lot!

Fernando

What do you mean by explicit mode?  I am wondering the same exact thing and I'm hoping

that we can resolve it.

Is it in the Identities for authenticated users where it says Explicit Forward Request checkbox?  It says

Apply same surrogate settings to explicit forward requests.  If this option is not selected, no surrogates will be used with explicit forward requests and NTLM credential caching will not be available to these requests.

Currently we have it checked.


We do have another identity above our "Authenticated Users" called Guests and Kiosks.  In this identity we have IP Addresses and Define Members by Authentication is set to "No Authentication".  However for real guests, we cannot be burdened to see what IP address they were assigned.  Plus we plan to offer wireless with a guest access.  However that will be on another subnet so it will be easy to identify those users.

Explicit means that the browser has specifically been configured to use the WSA as a proxy. In IE, this is in Tools -> Internet Options -> Connections -> LAN Settings. As opposed to transparent, which is when you redirect the client outbound port 80 traffic to go to the WSA instead of the network gateway / firewall.

So basically we have it set wrong then?  Because its checked off on our setup.  However we did not tell the browser anything.  In fact some people even use Firefox or Chrome, and I didnt even look to see if there are any adm templates to push out specific settings for them.  Our ASA uses wccp to redirect port 80 traffic to the appliance.

Since your ASA is redirecting the traffic transparently to the WSA, you don't need to set the browser setting.

The option that you found is just a way to override the standard explicit auth mechanism and use a transparent style of authenticating. This would only effect explicit traffic though, so it's not really relevant to how you have the WSA deployed.

Cheers,

Josh