3 Replies Latest reply on Apr 1, 2015 9:50 AM by michael_schneider

    SSO with LDAP Authentication does not work

    vaco

      SSO with LDAP Authentication does not work

       

      Good day, I have the following problem

       

      I have two MWG configured in Proxy HA, the authentication of users is performed against an LDAP server settings policies navigation have the discretion navigation through groups which are created in the LDAP, this works correctly, the problem occurs when the domain users log on to their computers, open your browser and are asked to authenticate to navigate, really do not want this to work that way, what is required is the SSO to work for domain users and they do not have to be entering credentials every time you open your browser and other applications installed on your computer and you still want to update not asking for credentials either.

       

      Teams have the following configurations:

       

      1. They are joined to the domain.

      2. They are configured with Authentication Method "LDAP" authentication test is done and working properly.

      3. In the navigation criterion of policies you have (Authentication.UserGroups contains "nombre_del_grupo") and making navigation tests apply proper activation.

       

      Someone who has done this configuration with LDAP and SSO will work? Thank You.

        • 1. Re: SSO with LDAP Authentication does not work
          Jon Scholten

          Hi vaco,

           

          If the user is logged into the domain, does that mean you are using Active Directory? If so, then you can use NTLM authentication, and users will not be prompted for authentication.

           

          This doesnt answer your question, however, you brought up the fact that you dont want users prompted for auth.

           

          Best Regards,

          Jon

          • 2. Re: SSO with LDAP Authentication does not work
            cjoshdoll

            As mentioned, you can use NTLM, however, that will only work for IE, it will not work for firefox or chrome.  Other apps will be hit or miss, depending on how they support authentication.

             

            The way I have ours setup, is that if it is an IE browser, it tries to auth with NTLM, if it is not, then it sends them to form auth.  We auth for 24 hours at a time.  If you open IE first, then open another browser, you will not be prompted.  If you open firefox first, you will be prompted via form auth.  (If you would like to see our rules let me know and I can export the auth rules I have.)

             

            Or you install the McAfee proxy client to all your machines, in which case it will auth for you.

             

            Or, you can use explicit proxy settings for your machines, set with a GPO or other method, and that will auth regardless of browser.  I use WCCP for 99% of my machines, with NTLM if IE, and forms auth if other.  But I have terminal servers where I need to auth with multiple users on a single IP, so I use explicit proxy settings for the users, pushed via GPO.

            • 3. Re: SSO with LDAP Authentication does not work
              michael_schneider

              Ola vaco,

              LDAP will never be transparent <period>

              LDAP will always require the user to enter their credentials in one way or the other, as the proxy will need to know the username and password to check its validity against the server and then will pull additional attributes in the context of the admin.

              In case you want SSO, your options are:

              • NTLM
              • Kerberos
              • LDAP with eDirectory, whereas here the 'authentication' is based on an attribute in the directory that conditionally will be filled and maps the user to the IP the request comes from. That doesn't make it authentication but authorization in a sense that a user has supplied valid credentials previously from the same IP and therefore the authentication for the web request is assumed.

               

              hth,

              Michael