cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4218
Views
10
Helpful
4
Replies

WSA transparent user authentication SSO

reynaldolopeza
Level 1
Level 1

Hi I have the next question.

 

We have implemented Two WSAs in HA and WCCP transparent mode and configured the rules with IP addresses, now we want to filter rules using AD users, and groups. I've read that in order to authenticate users transparently and without any prompts in the explorers we need to use TUI and a CDA agent.

I want to know if we need to configure every users' browser manually in order to have SSO and no prompts for users, if that it's true it would mean a huge workload for us.

And in this case, what Authentication scheme (Kerberos, NTLMSSP) is the recommended for HTTP and HTTPS traffic?

 

Please your help with this issue.

4 Replies 4

If you use CDA (with Windows AD 2012 and older, 2016 and newer aren't supported), you don't have to configure browsers, as CDA scrapes the AD boxes for sign-on events and forwards userid and IP to the WSA



Even if you didn't use CDA, investigate Group Policies to configure the browsers (IE/EDGE/Chrome) to auth to the WSA transparently.

Even with GPO in place, some apps don't support web auth, so they'll fail if they try to hit the internet before the user opens a browser. CDA fixes that too.




Hi Ken, thanks for your quick response.

 

I may have misunderstood the concepts of SSO and transparent authentication. So, what you say is that I don't have to configure browsers for SSO if I use CDA, but I do need to configure browsers to authenticate users to the WSA transparently? Please, give me more detail about these affirmations.

 

If you deploy CDA, the users are authenticated before they ever hit the web.





If at all possible, you should configure the browsers to transparently auth, just to cover all of the bases/minimize issues your users might see.

If you configure the WSA right its not that big of a deal.

Keep in mind the WSA joins the domain, and the Proxy interface should have a DNS name/entry in your local DNS so it appears like an "intranet" web server...