Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Basic, NTLM, and Kerberos Resources (NSM Procedure)

    To configure basic, NT LAN Manager (NTLM), and Kerberos resources:

    1. In the navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure the basic, NTLM, and Kerberos resources.
    3. Click the Configuration tab. Select Users > Resource Policies > Web > General.
    4. Click the New icon to configure the options as described in Table 1.
    5. Click OK to save the changes.

    Table 1: Configuring Basic, NTLM, and Kerberos Resources

    OptionsYour Action
    General > Kerberos tab

    Enable Kerberos SSO

    Select the Enable Kerberos SSO check box to enable Kerberos SSO.

    General > Kerberos > Realm Definition > New Realm Definition

    Realm

    Enter the Kerberos realm name. For example, enter http://www.kerber.net. The device uses kerber.net to obtain the list of key distribution centers (KDCs).

    Site Name

    Enter the Active Directory site names. Use this field to have the device contact the KDC at a specific site. For example, if site name is Sunnyvale and realm is http://www.kerber.net, then the device uses Sunnyvale.KERBER.NET to get the list of KDCs.

    Note: The Active Directory must have the sites defined and DNS must be configured to return the KDCs in the site.

    Pattern

    Enter the hostnames mapped to the Kerberos realm. You can enter wildcard characters such as *.y.com, *.kerber.net, or *.*.

    KDC

    Enter the hostname or IP address of the KDCs if DNS is unavailable or if you want the device to contact a specific KDC for tickets. If you enter a KDC, the device does not use DNS to obtain the list of KDCs based on the values entered in the Site Name and Realm boxes.

    General > Kerberos > Constrained Delegation > Constrained Delegation > New Constrained Delegation

    Label

    Enter a name to uniquely identify the constrained delegation. No external mapping is made to the label value.

    Realm

    Select the realm to use. The drop-down list is populated by values in the Realm box.

    Principal Account

    Enter the constrained delegation account. The device obtains the constrained delegation tickets with the value you enter on behalf of the user.

    Password

    Enter the constrained delegation account password.

    Service List

    Select the service list to use. The list should be an exact match with the service list in Active Directory if you want the device to perform constrained delegation for all the services. Hostnames must be an exact match.

    General > Kerberos > Constrained Delegation > Constrained Delegation Services List > New Constrained Delegation Service List

    Id

    Enter a unique identification number for the constrained delegation service list.

    Name

    Enter a name for the constrained delegation service list.

    Services

    Enter the service list name.

    General > Kerberos > Kerberos Intermediation > Kerberos Intermediation > New Kerberos Intermediation

    Label

    Enter a name to uniquely identify the Kerberos Intermediation. No external mapping is made to the label value.

    Realm

    Select the realm to use. The drop-down list is populated by values in the Realm box.

    Credential Type

    Select one of the following options from the drop-down list:

    • System—Specifies the set of user credentials, such as primary and secondary authorization credentials, stored in the device. If you select this option, you do not need to enter the username and password.
    • Variable—Allows tokens such as username and password to be used in the Username and Password boxes.
    • Static—Specifies the username and password exactly as they are entered in the Username and Password boxes.

    Username

    Enter the account username.

    Password

    Enter the account password.

    Variable Password

    Enter the password token if you select Variable as the credential type.

    General > NTLM

    Enable NTLM SSO

    Select the Enable NTLM SSO check box to enable NTLM SSO. If you do not enter any configuration information, the device attempts to figure out the domain from the hostname and performs SSO using the system credentials.

    Fallback to NTLM V1

    Select the Fallback to NTLM V2 check box to fall back to NTLMv1 if Kerberos fails. If you do not select this option and Kerberos SSO fails, an intermediation page appears.

    General > NTLM > NTLM Intermediation > New NTLM Intermediation

    Label

    Enter a name to uniquely identify the NTLM intermediation. No external mapping is made to the label value.

    domain

    Enter the Active Directory domain name.

    Credential Type

    Select one of the following options from the drop-down list:

    • System—Specifies the set of user credentials, such as primary and secondary authorization credentials, stored in the device. If you select this option, you do not need to enter the username and password.
    • Variable—Allows tokens such as username and password to be used in the Username and Password boxes.
    • Static—Specifies the username and password exactly as they are entered in the Username and Password boxes.

    Username

    Enter the account username. If you select Variable as the credential type, you can enter the username token.

    Password

    Enter an account password.

    Variable Password

    Enter the password token if you select Variable as the credential type.

    General > Basic Authentication

    Enable Basic Authentication SSO

    Select the Enable Basic Authentication SSO check box to enable basic authentication SSO.

    General > Basic Authentication > Basic Auth Intermediation > New Basic Auth Intermediation

    Label

    Enter a name to uniquely identify the basic authentication intermediation. No external mapping is made to the label value.

    Credential Type

    Select one of the following options from the drop-down list:

    • System—Specifies the set of user credentials, such as primary and secondary authorization credentials, stored in the device. If you select this option, you do not need to enter the username and password.
    • Variable—Allows tokens such as username and password to be used in the Username and Password boxes.
    • Static—Specifies the username and password exactly as they are entered in the Username and Password boxes.

    Username

    Enter the account username. If you select Variable as the credential type, you can enter the username token.

    Password

    Enter an account password.

    Variable Password

    Enter the password token if you select Variable as the credential type.

    Pattern

    Enter the hostnames mapped to the Kerberos realm. You can enter wildcard characters, such as *.y.com, *.kerber.net, or *.*.

    Published: 2013-01-03