Configuring Basic, NTLM, and Kerberos Resources (NSM Procedure)
To configure basic, NT LAN Manager (NTLM), and Kerberos resources:
- In the navigation tree, select Device Manager > Devices.
- Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure the basic, NTLM, and Kerberos resources.
- Click the Configuration tab. Select Users > Resource Policies > Web > General.
- Click the New icon to configure the options as described in Table 1.
- Click OK to save the changes.
Table 1: Configuring Basic, NTLM, and Kerberos Resources
Options | Your Action |
---|---|
General > Kerberos tab | |
Enable Kerberos SSO | Select the Enable Kerberos SSO check box to enable Kerberos SSO. |
General > Kerberos > Realm Definition > New Realm Definition | |
Realm | Enter the Kerberos realm name. For example, enter http://www.kerber.net. The device uses kerber.net to obtain the list of key distribution centers (KDCs). |
Site Name | Enter the Active Directory site names. Use this field to have the device contact the KDC at a specific site. For example, if site name is Sunnyvale and realm is http://www.kerber.net, then the device uses Sunnyvale.KERBER.NET to get the list of KDCs. Note: The Active Directory must have the sites defined and DNS must be configured to return the KDCs in the site. |
Pattern | Enter the hostnames mapped to the Kerberos realm. You can enter wildcard characters such as *.y.com, *.kerber.net, or *.*. |
KDC | Enter the hostname or IP address of the KDCs if DNS is unavailable or if you want the device to contact a specific KDC for tickets. If you enter a KDC, the device does not use DNS to obtain the list of KDCs based on the values entered in the Site Name and Realm boxes. |
General > Kerberos > Constrained Delegation > Constrained Delegation > New Constrained Delegation | |
Label | Enter a name to uniquely identify the constrained delegation. No external mapping is made to the label value. |
Realm | Select the realm to use. The drop-down list is populated by values in the Realm box. |
Principal Account | Enter the constrained delegation account. The device obtains the constrained delegation tickets with the value you enter on behalf of the user. |
Password | Enter the constrained delegation account password. |
Service List | Select the service list to use. The list should be an exact match with the service list in Active Directory if you want the device to perform constrained delegation for all the services. Hostnames must be an exact match. |
General > Kerberos > Constrained Delegation > Constrained Delegation Services List > New Constrained Delegation Service List | |
Id | Enter a unique identification number for the constrained delegation service list. |
Name | Enter a name for the constrained delegation service list. |
Services | Enter the service list name. |
General > Kerberos > Kerberos Intermediation > Kerberos Intermediation > New Kerberos Intermediation | |
Label | Enter a name to uniquely identify the Kerberos Intermediation. No external mapping is made to the label value. |
Realm | Select the realm to use. The drop-down list is populated by values in the Realm box. |
Credential Type | Select one of the following options from the drop-down list:
|
Username | Enter the account username. |
Password | Enter the account password. |
Variable Password | Enter the password token if you select Variable as the credential type. |
General > NTLM | |
Enable NTLM SSO | Select the Enable NTLM SSO check box to enable NTLM SSO. If you do not enter any configuration information, the device attempts to figure out the domain from the hostname and performs SSO using the system credentials. |
Fallback to NTLM V1 | Select the Fallback to NTLM V2 check box to fall back to NTLMv1 if Kerberos fails. If you do not select this option and Kerberos SSO fails, an intermediation page appears. |
General > NTLM > NTLM Intermediation > New NTLM Intermediation | |
Label | Enter a name to uniquely identify the NTLM intermediation. No external mapping is made to the label value. |
domain | Enter the Active Directory domain name. |
Credential Type | Select one of the following options from the drop-down list:
|
Username | Enter the account username. If you select Variable as the credential type, you can enter the username token. |
Password | Enter an account password. |
Variable Password | Enter the password token if you select Variable as the credential type. |
General > Basic Authentication | |
Enable Basic Authentication SSO | Select the Enable Basic Authentication SSO check box to enable basic authentication SSO. |
General > Basic Authentication > Basic Auth Intermediation > New Basic Auth Intermediation | |
Label | Enter a name to uniquely identify the basic authentication intermediation. No external mapping is made to the label value. |
Credential Type | Select one of the following options from the drop-down list:
|
Username | Enter the account username. If you select Variable as the credential type, you can enter the username token. |
Password | Enter an account password. |
Variable Password | Enter the password token if you select Variable as the credential type. |
Pattern | Enter the hostnames mapped to the Kerberos realm. You can enter wildcard characters, such as *.y.com, *.kerber.net, or *.*. |