Support

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication > Integrated Windows Authentication
Integrated Windows Authentication
Help | Content Gateway | Version 7.7.3
Integrated Windows Authentication (IWA) is a robust method of authenticating users who all belong to shared-trust Windows domains (one or many).
Integrated Windows Authentication:
*
Uses Kerberos
*
Supports Windows Active Directory 2003 and 2008
*
Supports NTLM in both explicit and transparent proxy modes
*
Supports NTLMv2 and NTLMv1 with Session Security
*
Supports Internet Explorer 7 and later, Firefox 4 and later, Google Chrome 6 and later, Windows Safari 4 and later, Safari 4 and later on iPad iOS4, and Opera 10 and later
*
Supports UTF-8 user names
*
Supports fall back to prompted authentication
*
Can be used with the Multiple Realm Authentication option
*
Requires that clients be joined to the domain
*
Requires that client browsers specify the Fully Qualified Domain Name (FQDN) of Content Gateway as an intranet site or trusted site
*
In explicit proxy deployments, browsers must specify the FQDN of Content Gateway
Integrated Windows Authentication: Configuration summary
Follow these steps to configure Integrated Windows Authentication (IWA):
*
In Content Gateway Manager, enable IWA on the Configure > My Proxy > Basic page and click Apply.
*
Join Content Gateway to the Windows domain. See Configuring Integrated Windows Authentication for a list of required conditions.
*
If Content Gateway is a transparent proxy, configure Transparent proxy authentication settings.
*
Configure the Global Authentication Options. These options apply to NTLM authentication when IWA negotiates NTLM or falls back to NTLM.
Configuring Integrated Windows Authentication
1.
Navigate to Configure > My Proxy > Basic > General.
2.
In the Authentication section, click Integrated Windows Authentication On, and click Apply.
3.
In the Authentication section, click the Configure link to navigate to Configure > Security > Access Control.
4.
Join the Windows domain.
To join the domain:
*
Content Gateway must be able to resolve the domain name.
*
Content Gateway system time must be synchronized with the domain controller's time, plus or minus 1 minute.
*
The correct domain Administrator name and password must be specified.
*
There must be TCP/UDP connectivity to the domain controller(s) (ports 88, 389, 445).
*
If backup domain controllers are configured, they and their Kerberos Distribution Center (KDC) services must be reachable by Content Gateway on the network.
 
* 
Important 
All clients must be joined to the domain.
Browsers and other proxy clients must be configured to specify the FQDN of Content Gateway as an intranet site or trusted site.
a.
In the Domain Name field, enter the fully qualified domain name.
b.
In the Administrator Name field enter the Windows Administrator user name.
c.
In the Administrator Password field enter the Windows Administrator password.
The name and password are used only during the join and are not stored.
d.
Select how to locate the domain controller:
*
Auto-detect using DNS
*
DC name or IP address
If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list, no spaces.
e.
In the Content Gateway Hostname field, confirm that the hostname is the correct hostname and that it is no more than 15 characters (no more than 11 characters on V-Series appliances). If it is longer, it must be shortened if IWA is to be used. The length restriction results from the 15 character limit on NetBIOS hostnames.
 
* 
Warning 
The hostname should not be changed after the domain is joined. If it is changed, IWA immediately stops working and will not work again until the domain is unjoined and then re-joined with the new hostname.
f.
Click Join Domain. If there is an error, ensure that the conditions outlined above are met and then see Failure to join the domain.
5.
If Content Gateway is deployed as a transparent proxy, configure the Transparent proxy authentication settings and then continue with the next step.
6.
Configure the NTLM global settings. Navigate to the Configure > Security > Access Control > Global Authentication Options tab.
 
* 
Note 
These settings apply when IWA negotiates NTLM or falls back to NTLM.
a.
Fail Open – Specifies whether requests are allowed to proceed when user authentication fails.
When Fail Open is enabled and a Web Security XID agent is configured, if authentication fails and the client is identified by the XID agent, user-based policy is applied. If the user cannot be identified and a policy is assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied.
Fail Open options include:
*
Disabled – specifies that requests not proceed when authentication failures occur.
*
Enabled only for critical service failures (default) – specifies that requests proceed if authentication fails due to:
– No response from the domain controller
– The client is sending badly formatted messages
*
Enabled for all authentication failures, including incorrect password – specifies that requests proceed for all authentication failures, including password failures.
b.
IP address-based NTLM Credential Caching is enabled by default. Credential caching applies only when Content Gateway is an explicit proxy. Credentials are cached when authentication is successful.
c.
Caching TTL sets the time-to-live for entries in the credential cache. The default TTL is 900 seconds (15 minutes). To change the TTL, enter a new value in the entry field. The range of supported values is 300 to 86400 seconds.
d.
If some users use terminal servers to access the Internet through the proxy (e.g., Citrix servers), you must create a list of those servers in the Multi-user IP Exclusions field. Credentials for such users are not cached. Enter a comma separated list of IP addresses and IP address ranges.
 
* 
Note 
Alternatively, use multiple realm authentication, create a rule for these users, and enable Cookie Mode Caching.
If multiple realm authentication is used, rules must be created for all clients in your deployment.
Configuration is now complete. Restart Content Gateway and run some test traffic through the proxy to verify that authentication is working as expected. If there is a problem, see Troubleshooting Integrated Windows Authentication.
To unjoin the current domain and join a new domain
1.
Navigate to the Configure > Security > Access Control > Integrated Windows Authentication tab and click Unjoin.
2.
To join a new domain, in the Domain Name field, enter the fully qualified domain name.
3.
In the Administrator Name field enter the Windows Administrator user name.
4.
In the Administrator Password field enter the Windows Administrator password. The name and password are used only during the join and are not stored.
5.
Select how to locate the domain controller:
*
Auto-detect using DNS
*
DC name or IP address
If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list, no spaces.
6.
Click Join Domain.
To change the way the domain controller is found
1.
Navigate to the Configure > Security > Access Control > Integrated Windows Authentication tab.
2.
In the Domain Controller section, select how to locate the domain controller:
*
Auto-detect using DNS
*
DC name or IP address
If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list, no spaces.
3.
Click Apply.
Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    Email: close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication > Integrated Windows Authentication