Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

SSO with LDAP Authentication does not work

SSO with LDAP Authentication does not work

Good day, I have the following problem

I have two MWG configured in Proxy HA, the authentication of users is performed against an LDAP server settings policies navigation have the discretion navigation through groups which are created in the LDAP, this works correctly, the problem occurs when the domain users log on to their computers, open your browser and are asked to authenticate to navigate, really do not want this to work that way, what is required is the SSO to work for domain users and they do not have to be entering credentials every time you open your browser and other applications installed on your computer and you still want to update not asking for credentials either.

Teams have the following configurations:

1. They are joined to the domain.

2. They are configured with Authentication Method "LDAP" authentication test is done and working properly.

3. In the navigation criterion of policies you have (Authentication.UserGroups contains "nombre_del_grupo") and making navigation tests apply proper activation.

Someone who has done this configuration with LDAP and SSO will work? Thank You.

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: SSO with LDAP Authentication does not work

Hi vaco,

If the user is logged into the domain, does that mean you are using Active Directory? If so, then you can use NTLM authentication, and users will not be prompted for authentication.

This doesnt answer your question, however, you brought up the fact that you dont want users prompted for auth.

Best Regards,



Re: SSO with LDAP Authentication does not work

As mentioned, you can use NTLM, however, that will only work for IE, it will not work for firefox or chrome.  Other apps will be hit or miss, depending on how they support authentication.

The way I have ours setup, is that if it is an IE browser, it tries to auth with NTLM, if it is not, then it sends them to form auth.  We auth for 24 hours at a time.  If you open IE first, then open another browser, you will not be prompted.  If you open firefox first, you will be prompted via form auth.  (If you would like to see our rules let me know and I can export the auth rules I have.)

Or you install the McAfee proxy client to all your machines, in which case it will auth for you.

Or, you can use explicit proxy settings for your machines, set with a GPO or other method, and that will auth regardless of browser.  I use WCCP for 99% of my machines, with NTLM if IE, and forms auth if other.  But I have terminal servers where I need to auth with multiple users on a single IP, so I use explicit proxy settings for the users, pushed via GPO.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: SSO with LDAP Authentication does not work

Ola vaco,

LDAP will never be transparent <period>

LDAP will always require the user to enter their credentials in one way or the other, as the proxy will need to know the username and password to check its validity against the server and then will pull additional attributes in the context of the admin.

In case you want SSO, your options are:

  • NTLM
  • Kerberos
  • LDAP with eDirectory, whereas here the 'authentication' is based on an attribute in the directory that conditionally will be filled and maps the user to the IP the request comes from. That doesn't make it authentication but authorization in a sense that a user has supplied valid credentials previously from the same IP and therefore the authentication for the web request is assumed.



Michael Schneider
Lead Product Manager for Web Protection
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community