Defining Basic, NTLM, and Kerberos Resources
You can set up basic, NT LAN Manager (NTLM), and Kerberos credentials in the Devices > Users > Resource Policies > Web > SSO > General tab. Follow these guidelines when managing single sign-on (SSO):
- The Secure Access device manages Kerberos if challenged with the negotiate header, NTLM if challenged with the NTLM header; and basic authentication if challenged with the basic resource.
- If the device receives multiple challenges, the order
of precedence is as follows:
- Kerberos
- NTLM
- Basic
- The device first sets the constrained delegation if the service is configured in a service list.
- Policy configurations override any settings in the SSO > General tab.
- Disabling all the options available in the SSO > General screen prevents SSO. However, the device continues to an intermediate phase and displays an intermediation page to the enduser.
- You can explicitly turn off the basic authentication intermediation in a policy. For Kerberos and NTLM, the device will always be intermediate.
- Depending on the SSO used, you can view the different
fields in the intermediation page and configure the following options:
- Basic authentication intermediation page—Displays username and password fields.
- NTLM intermediation page—Displays username, password, and domain fields.
- Kerberos intermediation page—Displays username, password, and realm fields.
- When upgrading a Secure Access device or performing a new installation, the default SSO BasicAuthNoSSO policy is preserved. If you have enabled all options of the General tab, SSO will not be enabled until you have deleted the BasicAuthNoSSO policy.
