The firewall uses an encrypted challenge-response
mechanism to obtain the user credentials from the browser. When
configured properly, the browser will transparently provide the
credentials to the firewall without prompting the user, but will
prompt for credentials if necessary. If you use the Windows-based
User-ID agent, NTLM responses go directly to the domain controller
where you installed the agent. If you configure Kerberos SSO
authentication, the firewall tries that method first before falling
back to NTLM authentication. If the browser can’t perform NTLM or
if NTLM authentication fails, the firewall falls back to web form
or client certificate authentication, depending on your Authentication
policy and Captive Portal configuration. Microsoft Internet
Explorer supports NTLM by default. You can configure Mozilla Firefox
and Google Chrome to also use NTLM but you can’t use NTLM to authenticate
non-Windows clients. |