Some web page objects are not displayed when IWA/NTLM authentication is enabled

Solutions ID:    KB3243
Version:    1.0
Status:    Published
Published date:    08/06/2009

Problem Description

When using IWA/NTLM authentication via a ProxySG, some web page objects are either not displayed correctly, or generate log-in prompts requiring the user to manually enter their authentication credentials


There are a number of different authentication modes which can be configured within IWA/NTLM auth on the ProxySG. The default mode is auto, which authenticates every TCP connection from a user via the BCAAA agent and a query to the directory server.

This works correctly for User-Agents which understand the challenge/response mechanism used within this auth mode, but some java plug-ins, flash video streams, and non-MS familiar User-Agents will not know how to respond to the 407 challenge issued by the proxy.

This results in either i) the object is not displayed correctly, or ii) the request, having been unable to authenticate via single sign-on, fails over to basic auth and generates a pop-up for the user to manually enter their credentials.

To mitigate against this behavior, we can switch to a different authentication mode which utilises a surrogate credential. For explicit proxy deployments where NATing does not occur between ProxySG and client - and where the ProxySG has visibility of the requesting client's individual IP address - proxy-ip mode can be used. With proxy-ip, the user's first connection is authenticated via the round-trip between BCAAA and directory server, and subsequent connections are authentication via the proxySG's on-board credential cache via a credential associating the requesting IP address with the user's ID. This credential is maintained for the duration of the credential cache timeout, which is configurable via the SG management GUI.

Requests which could not be authenticated via a 407 response previously will now be authenticated via the credential cache surrogate, preventing display issues or the need for user to manually enter their auth credentials.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question