ProxySG & Advanced Secure Gateway

Hi;

In a situation where IWA (Direct) is implemented, with NTLM, there are two domain controllers, one of them is reachable "all ports" from the Proxy SG and one of them is not. 

When the Proxy SG tries to connect to the second Domain Controller, which isn't reachable, the user gets a prompt for credetials. So it seems like the authentication is reverting to "Basic" instead of NTLM.

Is this a normal behaviour?

Kindly
Wasfi

Hi Wasfi,

If Basic is enabled, and NTLM fails, the ProxySG will downgrade authentication to Basic. From the ProxySG Authentication Guide:

"[The ProxySG] will try to use the strongest challenge protocol that is configured and, if the browser cannot use that protocol or if it is not configured properly, the appliance will downgrade to the next protocol. For example, if you configure the IWA realm to allow Kerberos and NTLM, but the user agent/browser does not support Kerberos, the ProxySG appliance will automatically downgrade to NTLM" - (pg 13)

Hope that helps!
Original Message:
Sent: 07-04-2021 06:57 AM
From: Wasfi Bounni
Subject: The Proxy SG cannot connect to the domain controller over port 88 and the user gets a prompt

Hi;

In a situation where IWA (Direct) is implemented, with NTLM, there are two domain controllers, one of them is reachable "all ports" from the Proxy SG and one of them is not.

When the Proxy SG tries to connect to the second Domain Controller, which isn't reachable, the user gets a prompt for credetials. So it seems like the authentication is reverting to "Basic" instead of NTLM.

Is this a normal behaviour?

Kindly
Wasfi