Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
15
Helpful
2
Replies

WSA credential encryption with NTLM authentication?

c-kn
Level 1
Level 1

‎03-09-2022 05:33 PM

I have a new WSA that we are setting up. I need the user credentials to be passed to the WSA by the browser automatically through SSO. I had to disable credential encryption in the global authentication settings to get it to work. I can't find anything in the documentation that says SSO needs this to be unchecked or not.

 

Kerberos and NTLMSSP are both working without it. Does anyone know if this normal behavior?

 

Basic authentication does work with the encryption on. I can also get Firefox to authenticate with it on through NTLM. Firefox detects the proxy and will send credentials if you click a popup. I don't think I had an issue with my server certificate because of this.

Labels:
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2022 11:24 PM

what version of async code running on WSA - Its all depends on deployment : is your all device centrally managed by SCCM to push policies and settings.

 

 

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117934-technote-csc-00.html

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118487-technote-wsa-00.html

 

some tips help you below guide :

 

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-3771.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

c-kn
Level 1
Level 1
In response to balaji.bandi

‎03-10-2022 09:37 AM

I'm running 14.0.1 on my WSA appliances. I have 2 S695s behind an F5 LTM. I'll be using group policy to push the F5 VIP and any browser settings. The WSA appliances are deployed in explicit (forward) mode.

 

The links you provided are useful and I have seen them before. The Cisco Live slide show does say to enable credential encryption when using Basic authentication. I'm pretty sure that is noted in the user guide as well.

 

My question is specifically whether or not credential encryption is supposed to work with NTLMSSP and/or Kerberos. Particularly with NTLMSSP to protect against man in the middle attacks.

 

I haven't gotten NTLMSSP or Kerberos to work individually or together with credential encryption enabled. I'm not sure if it's even supposed to.

 

Thanks,

CK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents