User Guide
338
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE
• Basic. Allows a client application to provide authentication credentials in the form of a
user name and password when it makes a request. You can use the Basic authentication
scheme with either an LDAP or Active Directory server.
• NTLMSSP. Allows the client application to provide authentication credentials in the form
of a challenge and response. It uses a binary message format to authenticate clients that
use the NTLM protocol to access network resources. You can use the NTLMSSP
authentication scheme only with an Active Directory server. When the Web Proxy uses
NTLMSSP, most client applications can use the Windows login credentials for
authentication and users do not need to enter their credentials again. This is called “single
sign-on.”
For more information, see “Basic versus NTLMSSP Authentication Schemes” on page 338.
Table 16-1 describes the different authentication scenarios you can configure between the
Web Security appliance and the client and between the Web Security appliance and the
authentication server.
Web Proxy deployment also affects how authentication works in each of the scenarios
described in Table 16-1. For more information, see “How Web Proxy Deployment Affects
Authentication” on page 339.
Basic versus NTLMSSP Authentication Schemes
When you configure an Identity group to use authentication, you choose the authentication
scheme, either Basic or NTLMSSP. The authentication scheme affects the user experience and
the security of users’ passwords.
Table 16-1 Web Security Appliance Authentication Scenarios
Client to Web Security
Appliance
Web Security Appliance to
Authentication Server
Authentication Server Type
Basic LDAP LDAP server
Basic LDAP Active Directory server using LDAP
Basic NTLM Active Directory server using NTLM
NTLMSSP NTLM Active Directory server using NTLM