Users are being prompted to authenticate when going through the ProxySG or Advanced Secure Gateway
search cancel

Users are being prompted to authenticate when going through the ProxySG or Advanced Secure Gateway

book

Article ID: 171530

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG Symantec WebFilter (formerly Blue Coat WebFilter - BCWF) Secure Web Gateway Virtual Appliance ProxySG Software - SGOS

Issue/Introduction

Users are being prompted to authenticate by the ProxySG or Advanced Secure Gateway (ASG) when they are trying to access the Internet, and you want users to authenticate but not be prompted.

Resolution

To bypass authentication prompts from the ProxySG or ASG, then enable IWA single sign-on (SSO). When SSO is configured correctly, the user agent or browser will automatically provide the client's domain credentials when challenged by the appliance. 

Although you cannot guarantee that SSO will work in all situations, make sure you have taken the following steps to enable it:

  • Configure the IWA realm to allow Kerberos and/or NTLM credentials. When using Basic credentials, the user will always be prompted to authenticate.
  • Ensure that users are logging in to their workstations using domain credentials rather than local credentials. The appliance can only use domain credentials to authenticate users.
  • Ensure that the client browsers support IWA SSO. 
  • Make sure the client browsers are configured to automatically provide credentials to the appliance.
  • Create a DNS "A" record that maps the appliance fully qualified domain name (FQDN) with its IP address. In explicit deployments, the DNS A record should map the FQDN in the browser explicit proxy configuration; in transparent deployments, the DNS A record should map the Virtual URL in the IWA realm configuration to the IP address of the appliance.
  • Ensure that clients are using the DNS server you configured. To test this, ping the FQDN you specified in the DNS configuration from a client system and ensure that it resolves to the correct IP address.