cancel
Showing results for 
Search instead for 
Did you mean: 
vaco
Level 7

SSO with LDAP Authentication does not work

SSO with LDAP Authentication does not work

Good day, I have the following problem

I have two MWG configured in Proxy HA, the authentication of users is performed against an LDAP server settings policies navigation have the discretion navigation through groups which are created in the LDAP, this works correctly, the problem occurs when the domain users log on to their computers, open your browser and are asked to authenticate to navigate, really do not want this to work that way, what is required is the SSO to work for domain users and they do not have to be entering credentials every time you open your browser and other applications installed on your computer and you still want to update not asking for credentials either.

Teams have the following configurations:

1. They are joined to the domain.

2. They are configured with Authentication Method "LDAP" authentication test is done and working properly.

3. In the navigation criterion of policies you have (Authentication.UserGroups contains "nombre_del_grupo") and making navigation tests apply proper activation.

Someone who has done this configuration with LDAP and SSO will work? Thank You.

0 Kudos
3 Replies
McAfee Employee

Re: SSO with LDAP Authentication does not work

Hi vaco,

If the user is logged into the domain, does that mean you are using Active Directory? If so, then you can use NTLM authentication, and users will not be prompted for authentication.

This doesnt answer your question, however, you brought up the fact that you dont want users prompted for auth.

Best Regards,

Jon

cjoshdoll
Level 7

Re: SSO with LDAP Authentication does not work

As mentioned, you can use NTLM, however, that will only work for IE, it will not work for firefox or chrome.  Other apps will be hit or miss, depending on how they support authentication.

The way I have ours setup, is that if it is an IE browser, it tries to auth with NTLM, if it is not, then it sends them to form auth.  We auth for 24 hours at a time.  If you open IE first, then open another browser, you will not be prompted.  If you open firefox first, you will be prompted via form auth.  (If you would like to see our rules let me know and I can export the auth rules I have.)

Or you install the McAfee proxy client to all your machines, in which case it will auth for you.

Or, you can use explicit proxy settings for your machines, set with a GPO or other method, and that will auth regardless of browser.  I use WCCP for 99% of my machines, with NTLM if IE, and forms auth if other.  But I have terminal servers where I need to auth with multiple users on a single IP, so I use explicit proxy settings for the users, pushed via GPO.

0 Kudos
McAfee Employee

Re: SSO with LDAP Authentication does not work

Ola vaco,

LDAP will never be transparent <period>

LDAP will always require the user to enter their credentials in one way or the other, as the proxy will need to know the username and password to check its validity against the server and then will pull additional attributes in the context of the admin.

In case you want SSO, your options are:

  • NTLM
  • Kerberos
  • LDAP with eDirectory, whereas here the 'authentication' is based on an attribute in the directory that conditionally will be filled and maps the user to the IP the request comes from. That doesn't make it authentication but authorization in a sense that a user has supplied valid credentials previously from the same IP and therefore the authentication for the web request is assumed.

hth,

Michael

0 Kudos