Configuring Basic, NTLM, and Kerberos Resources (NSM Procedure)

To configure basic, NT LAN Manager (NTLM), and Kerberos resources:

  1. In the navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure the basic, NTLM, and Kerberos resources.
  3. Click the Configuration tab. Select Users > Resource Policies > Web > General.
  4. Click the New icon to configure the options as described in Table 59.
  5. Click OK to save the changes.

Table 59: Configuring Basic, NTLM, and Kerberos Resources

OptionsYour Action
General > Kerberos tab

Enable Kerberos SSO

Select the Enable Kerberos SSO check box to enable Kerberos SSO.

General > Kerberos > Realm Definition > New Realm Definition

Realm

Enter the Kerberos realm name. For example, enter http://www.kerber.net. The device uses kerber.net to obtain the list of key distribution centers (KDCs).

Site Name

Enter the Active Directory site names. Use this field to have the device contact the KDC at a specific site. For example, if site name is Sunnyvale and realm is http://www.kerber.net, then the device uses Sunnyvale.KERBER.NET to get the list of KDCs.

Note: The Active Directory must have the sites defined and DNS must be configured to return the KDCs in the site.

Pattern

Enter the hostnames mapped to the Kerberos realm. You can enter wildcard characters such as *.y.com, *.kerber.net, or *.*.

KDC

Enter the hostname or IP address of the KDCs if DNS is unavailable or if you want the device to contact a specific KDC for tickets. If you enter a KDC, the device does not use DNS to obtain the list of KDCs based on the values entered in the Site Name and Realm boxes.

General > Kerberos > Constrained Delegation > Constrained Delegation > New Constrained Delegation

Label

Enter a name to uniquely identify the constrained delegation. No external mapping is made to the label value.

Realm

Select the realm to use. The drop-down list is populated by values in the Realm box.

Principal Account

Enter the constrained delegation account. The device obtains the constrained delegation tickets with the value you enter on behalf of the user.

Password

Enter the constrained delegation account password.

Service List

Select the service list to use. The list should be an exact match with the service list in Active Directory if you want the device to perform constrained delegation for all the services. Hostnames must be an exact match.

General > Kerberos > Constrained Delegation > Constrained Delegation Services List > New Constrained Delegation Service List

Id

Enter a unique identification number for the constrained delegation service list.

Name

Enter a name for the constrained delegation service list.

Services

Enter the service list name.

General > Kerberos > Kerberos Intermediation > Kerberos Intermediation > New Kerberos Intermediation

Label

Enter a name to uniquely identify the Kerberos Intermediation. No external mapping is made to the label value.

Realm

Select the realm to use. The drop-down list is populated by values in the Realm box.

Credential Type

Select one of the following options from the drop-down list:

  • System—Specifies the set of user credentials, such as primary and secondary authorization credentials, stored in the device. If you select this option, you do not need to enter the username and password.
  • Variable—Allows tokens such as username and password to be used in the Username and Password boxes.
  • Static—Specifies the username and password exactly as they are entered in the Username and Password boxes.

Username

Enter the account username.

Password

Enter the account password.

Variable Password

Enter the password token if you select Variable as the credential type.

General > NTLM

Enable NTLM SSO

Select the Enable NTLM SSO check box to enable NTLM SSO. If you do not enter any configuration information, the device attempts to figure out the domain from the hostname and performs SSO using the system credentials.

Fallback to NTLM V1

Select the Fallback to NTLM V2 check box to fall back to NTLMv1 if Kerberos fails. If you do not select this option and Kerberos SSO fails, an intermediation page appears.

General > NTLM > NTLM Intermediation > New NTLM Intermediation

Label

Enter a name to uniquely identify the NTLM intermediation. No external mapping is made to the label value.

domain

Enter the Active Directory domain name.

Credential Type

Select one of the following options from the drop-down list:

  • System—Specifies the set of user credentials, such as primary and secondary authorization credentials, stored in the device. If you select this option, you do not need to enter the username and password.
  • Variable—Allows tokens such as username and password to be used in the Username and Password boxes.
  • Static—Specifies the username and password exactly as they are entered in the Username and Password boxes.

Username

Enter the account username. If you select Variable as the credential type, you can enter the username token.

Password

Enter an account password.

Variable Password

Enter the password token if you select Variable as the credential type.

General > Basic Authentication

Enable Basic Authentication SSO

Select the Enable Basic Authentication SSO check box to enable basic authentication SSO.

General > Basic Authentication > Basic Auth Intermediation > New Basic Auth Intermediation

Label

Enter a name to uniquely identify the basic authentication intermediation. No external mapping is made to the label value.

Credential Type

Select one of the following options from the drop-down list:

  • System—Specifies the set of user credentials, such as primary and secondary authorization credentials, stored in the device. If you select this option, you do not need to enter the username and password.
  • Variable—Allows tokens such as username and password to be used in the Username and Password boxes.
  • Static—Specifies the username and password exactly as they are entered in the Username and Password boxes.

Username

Enter the account username. If you select Variable as the credential type, you can enter the username token.

Password

Enter an account password.

Variable Password

Enter the password token if you select Variable as the credential type.

Pattern

Enter the hostnames mapped to the Kerberos realm. You can enter wildcard characters, such as *.y.com, *.kerber.net, or *.*.

Related Documentation