Logic

  • One or more rules are defined for clients and domains (Configure > Security > Access Control > Authentication Rules).
  • When a request for web content is received:
    • A top-down rule list traversal begins
    • The first match is applied
    • If the rule includes a list of domains, authentication proceeds as follows:
      • The proxy attempts to authenticate with the first domain using the method configured for that domain. For example, if the first domain is IWA, Content Gateway transparently negotiates with the browser for credentials (407 or 401).
      • If authentication fails and Content Gateway hasn’t already challenged (prompted) for credentials, it then prompts for credentials.

        Exception: When Content Gateway is an explicit proxy, the first and second domains are IWA, and the client has a ticket from the authentication domain, there is no prompt for basic credentials. Instead, Content Gateway uses the Kerberos ticket provided by the client to attempt to authenticate with the second domain. If the attempt fails and the fallback to NTLM authentication fails, the user is prompted for credentials.

        When Content Gateway is a transparent proxy the standard behavior applies. This is because when the user is not a member of the first domain, the request for a Kerberos ticket fails because the client does not trust the FQDN sent with the request. The fallback to NTLM authentication also fails and the user is prompted for credentials.

      • Content Gateway then uses the basic credentials with each domain, starting with the second, proceeding sequentially until authentication succeeds or the list is exhausted.
      • Content Gateway then uses the basic credentials to attempt, again, to authenticate with the first domain.
      • If authentication fails with all domains and the Fail Open (Configure > Security > Access Control > Global Configuration Options) setting is:

        Enabled only for critical service failures, the proxy assumes that the user mis-entered their credentials, prompts again for basic credentials, and attempts, again, to authenticate sequentially against the list.

        Enabled for all authentication failures, including incorrect password, fail open is applied.

    • If no rule matches, no authentication is attempted
  • Transactions are logged with the user name used by Filtering Service.
  • Proxy authentication statistics are collected and reported individually for each authentication method. See Security (in the Statistics section).
    Note: Content Gateway must be configured with a DNS server that can resolve the fully qualified domain name (FQDN) of Content Gateway for every realm used by IWA. If this isn’t done, IWA fails to work. How to configure the DNS server is up to the network administrator. One option is to configure a DNS transfer zone (Sub Zone) between the primary DNS server of Content Gateway and the DNS server of each authentication realm (isolated domain).