IronPort WSA authentications

New Contributor III

Hey All,

I'm having the struggle of my life trying to iron out IronPort (sorry for that). We're a 90% Windows shop here and we use IronPort WSA 8.0.6 to authenticate to the internet from behind our firewall. My issue is that the Mac computers are constantly being prompted for AD credentials in order to access the internet. Our security team is running two WSA proxies with a failover so every time a Mac user's computer flips to another server they have to re authenticate. Supposedly these WSA's are set up to accept Kerberos tokens, but for some reason those aren't passing through to the Proxies. Has anyone had experience with these types of proxy servers and found a good fix for them? I'm exploring the idea of scripting a fix, but I don't know where to start with it.

Thanks for the help!


New Contributor

What browser(s) are you testing with?

If Macs are joined to Active Directory, users are logging into Active Directory accounts, and everything else Kerberos is working properly, Safari should just work and authenticate. Firefox and Chrome require configuration changes for Kerberos SSO.

I'll have to figure this one out in the near future so I'd like to know what you do find out. Currently our IronPorts aren't doing any authentication.

New Contributor III

Most of our systems aren't built to be Kerberos friendly right now, but there is a few systems that do work just fine using the kerberos token. Primary use is Safari. I will update any new info that security comes up with for other people having this issue.

We don't use PAC files for the proxies either, so the only creative option we've had so far is to make an "at work" network location and have users switch back and forth depending on where they are, which doesn't make things much better then just signing in to the proxies.

New Contributor II

I am pretty sure that the ironport only supports NTLM authentication not kerberos.

We use Authoxy to get around the issue so the user just has to login to Authoxy once and the user is not prompted again.

New Contributor III

Authoxy is a good tip! thanks for that. Looking into the user guides for the version of IronPort we're using says it supports Mac OS Kerberos tokens, I just don't know how true that is.