Defining a Basic Authentication, NTLM, or Kerberos Intermediation Resource Policy (NSM Procedure)

Basic authentication, NT LAN Manager (NTLM), or Kerberos intermediation resource policies enable you to control NTLM and Kerberos intermediation on the Secure Access device. If a user accesses a Web resource that sends a basic authentication challenge, the device intercepts the challenge, displays an intermediate sign-in page to collect the credentials for the Web resource, and then rewrites the credentials along with the entire challenge or response sequence.

With the Kerberos intermediation resource policy, backend Web applications protected by Kerberos are accessible to end users. For example, a user logs in to the device using Active Directory as the authentication server and the authentication protocol is Kerberos. When the user browses a Kerberos-protected server, the user is single signed on to the backend server and is not prompted for any credentials. A user logs in to the device using an authentication protocol other than Kerberos and then browses a Kerberos-protected server. Depending on the Kerberos intermediation resource policy settings and the configured Kerberos authentication server, the user is either authenticated by the system or is prompted to enter a username and password.

To define a basic authentication, NTLM, or Kerberos intermediation resource policy:

  1. In the navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure a basic, NTLM, or Kerberos intermediation resource policy.
  3. Click the Configuration tab. Select Users > Resource Policies > Basic Auth/NTLM SSO.
  4. Click the New icon to configure the options as described in Table 60.
  5. Click OK to save the changes.

Table 60: Basic Authentication, NTLM, or Kerberos Intermediation Policy

OptionsYour Action
General tab

Name

Enter a name to label the policy.

Description

Enter a description for the policy.

Resources

Enter the resource name to which this policy applies.

Applies to roles

Select any of the following options from the drop-down list:

  • All—Allows you to apply this policy to all users.
  • Selected—Allows you to apply this policy only to users who are mapped to roles in the Members list. In the Roles tab, you must add roles as members, from the Non-members list.
  • Except those selected—Allows you to apply this policy to all users except for the users who map to the roles in the Members list.

Authentication Type

Select any of the following options from the drop-down list:

  • Disable SSO—Specifies that the device disables the automatic SSO authentication for this user role, and prompts the user for sign-in credentials.
  • Basic Authentication—Specifies that the device uses the basic authentication intermediation method to control the SSO behavior.
  • Disable Intermediation (Not valid for web proxies)—Specifies that in selecting this option, the device does not intermediate the challenge or response sequence.
  • NTLM Authentication—Specifies that the device uses the Microsoft NTLM intermediation method to control the SSO behavior.
  • Kerberos Authentication—Specifies that the device uses the Kerberos intermediation method to control the SSO behavior.
  • Constrained Delegation—Specifies that the device uses the constrained delegation intermediation method to control the SSO behavior.
  • Detailed Rules—Allows you to specify one or more detailed rules for this policy.

Label

Enter a label name for the basic, NTLM, or Kerberos authentication types, and the constrained delegation.

Fallback to NTLM V1

Select the Fallback to NTLM V1 check box to enable this option.

Fallback to NTLM V2

Select the Fallback to NTLM V2 check box to enable this option.

Fallback to Kerberos

Select the Fallback to Kerberos check box to enable this option.

Roles tab

Roles

Select roles to access resource policies.

Note: This tab is enabled only when you select Selected or Except those selected from the Applies to roles drop-down list.

Detailed Rules tab

Detailed Rule

Enter the detailed rule information as described in the General tab section of Table 60.

Conditions

Click New Expression and enter a condition name for the rule. You can also set conditions for the rule. Conditions include logical operators, prebuilt expressions, variables, and so on.

Related Documentation