Troubleshooting guide
1-20
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
If the auto detection fails, you will need to check the configured domain/DNS configuration and enter
them manually. The values can then be submitted.
Note Kerberos version 5 is used for Windows systems running Windows 2000 or higher with users
logging in to domain accounts.
For Kerberos, skip the next step.
Step 9 For NTLM, select version 1 or version 2 from the drop-down list. NTLM version 1 is selected by default.
Note NTLM cannot be used for encrypted MAPI acceleration.
• NTLM version 1 is used for all Windows systems, including legacy systems such as Windows 98
with Active Directory, Windows NT, and more recent Windows systems, such as Windows 2000,
Windows XP, and Windows 2003. We recommend the use of Kerberos if you are using a
Windows 2000 SP4 or Windows 2003 domain controller.
• NTLM version 2 is used for Windows systems running Windows 98 with Active Directory,
Windows NT 4.0 (Service Pack 4 or higher), Windows XP, Windows 2000, and Windows 2003.
Enabling NTLM version 2 support on the WAAS print server will not allow access to clients who
use NTLM or LM.
Caution Enable NTLM version 2 support in the print server only if all the clients’ security policy has
been set to Send NTLMv2 responses only/Refuse LM and NTLM.
Skip the next step.
Step 10 In the Kerberos Realm field, enter the fully qualified name of the realm in which the WAAS device
resides. In the Key Distribution center, enter the fully qualified name or the IP address of the distribution
center for the Kerberos key. If you clicked the Auto Detect The Parameters button when you selected
Kerberos authentication method, these fields will already be populated.
All Windows 2000 domains are also Kerberos realms. Because the Windows 2000 domain name is also
a DNS domain name, the Kerberos realm name for the Windows 2000 domain name is always in
uppercase letters. This capitalization follows the recommendation for using DNS names as realm names
in the Kerberos Version 5 protocol document (RFC-4120) and affects only interoperability with other
Kerberos-based environments.
Step 11 In the Domain Controller field, enter the name of the Windows Domain Controller.
When you click Submit, the Central Manager validates this name by requesting the WAAS device (if
version 4.2.x or later) to resolve the domain controller name. If the domain controller is not resolvable,
you are asked to submit a valid name. If the device is offline, you are asked to verify device connectivity.
If you are configuring a device group, the domain controller name is not validated on each device before
this page is accepted and if it is not resolvable on a device, the configuration changes on this page are
not applied to that device.
Step 12 Click Submit.
Note Make sure that you click Submit now so that the specified changes are committed to the WAAS
Central Manager database. The Domain Administrator’s username and password, which you will
enter in Step 13, are not stored in the WAAS Central Manager’s database.