The IWA General tab allows you to specify the display name, the refresh times, an inactivity timeout value, cookies, and a virtual URL.
To configure IWA general settings:
1. Select Configuration > Authentication > IWA > IWA General.
Important: The configuration of the realm can have significant security
implications. If an IWA realm accepts Basic credentials, the client can automatically downgrade to sending the password in plaintext. Similarly, the client can use NTLM instead of Kerberos.
2. Configure realm name from the Realm name drop-down list, select the IWA realm for which you want to change properties.
3. If needed, change the IWA realm display name. The default value for the display name is the realm name. The display name cannot be greater than 128 characters and it cannot be null.
4. Configure refresh options:
a. Select the Use the same refresh time for all check box if you would like to use the same refresh time for all.
b. Enter the number of seconds in the Credential refresh time field. The Credential Refresh Time is the amount of time basic credentials (username and password) are kept on the ProxySG. This feature allows the ProxySG to reduce the load on the authentication server and enables credential spoofing. It has a default setting of 900 seconds (15 minutes). You can configure this in policy for better control over the resources as policy overrides any settings made here.
Before the refresh time expires, the ProxySG will authenticate the user supplied credentials against the cached credentials. If the credentials received do not match the cached credentials, they are forwarded to the authentication server in case the user password changed. After the refresh time expires, the credentials are forwarded to the authentication server for verification.
c. Enter the number of seconds in the Surrogate refresh time field. The Surrogate Refresh Time allows you to set a realm default for how often a user’s surrogate credentials are refreshed. Surrogate credentials are credentials accepted in place of a user’s actual credentials. The default
2 3 4 5 6 7 8 9
setting is 900 seconds (15 minutes). You can configure this in policy for better control over the resources as policy overrides any settings made here.
Before the refresh time expires, if a surrogate credential (IP address or cookie) is available and it matches the expected surrogate credential, the ProxySG authenticates the transaction. After the refresh time expires, the ProxySG will verify the user’s credentials. Depending upon the
authentication mode and the user-agent, this may result in challenging the end user for credentials.
The main goal of this feature is to verify that the user-agent still has the appropriate credentials.
5. Type the number of seconds in the Inactivity timeout field to specify the amount of time a session can be inactive before being logged out.
6. If you use Basic credentials and want to cache failed authentication attempts (to reduce the load on the authentication service), enter the number of seconds in the Rejected Credentials time field. This setting, enabled by default and set to one second, allows failed authentication attempts to be automatically rejected for up to 10 seconds. Any Basic credentials that match a failed result before its cache time expires are rejected without consulting the back-end authentication service. The original failed authentication result is returned for the new request.
All failed authentication attempts can be cached: Bad password, expired account, disabled account, old password, server down.
To disable caching for failed authentication attempts, set the Rejected Credentials time field to 0.
7. Configure cookie options:
a. Select the Use persistent cookies check box to use persistent browser cookies instead of session browser cookies.
b. Select the Verify the IP address in the cookie check box if you would like the cookies surrogate credentials to only be accepted for the IP address that the cookie was authenticated. Disabling this will allow cookies to be accepted from other IP addresses.
8. In the Virtual URL field, enter the URL to redirect to when the user needs to be challenged for credentials if using a redirecting authenticate.mode.
You can specify a virtual URL based on the individual realm. For more information on the virtual URL, see "About Origin-Style Redirection" on page 40.
When NTLM is in use, requests to the virtual URL must be sent to the proxy. This can be done either by transparent redirection or by making the virtual URL hostname resolve to an IP address of the proxy.
When Kerberos is in use:
• The virtual URL hostname must be part of the Kerberos realm (this is using the term realm in the Kerberos sense, not the ProxySG sense).
• For a forward proxy, this hostname should be added to the DNS server for the same domain as the Kerberos protected resources so that requests for this address go directly to the ProxySG.
In both NTLM and Kerberos, if single-sign on is desired, then the virtual URL hostname must have no dots and must not be proxied by the browser. The client must be able to resolve this hostname to an IP address of the proxy. 9. Select the Challenge user after logout check box if the realm requires the users to
enter their credentials after they have logged out. 10. Select Apply.