Authenticating Mac users with Content Gateway

Using the Integrated Windows Authentication (IWA) feature of Content Gateway, Mac users can be transparently authenticated when the user is a member of an Active Directory domain and the Mac computer is joined to the Active Directory domain. For more information see Integrated Windows Authentication.

Configuration summary:

  • Ensure that each Mac computer is joined to the Active Directory domain. See Typical steps for joining a Mac to an Active Directory domain.
  • Ensure that each participating Mac user is a member of a common Active Directory. See your Active Directory documentation.
  • Ensure that Content Gateway is joined to the Active Directory domain.
    • If Content Gateway is not configured for IWA, see Integrated Windows Authentication and apply the configuration instructions.
    • If Content Gateway is already configured for IWA and your Mac users belong to the currently joined domain, there is nothing to do.
    • If Content Gateway is already configured for IWA and your Mac users belong to a different Active Directory domain, use the Rule-Based Authentication feature. See Rule-Based Authentication and follow the configuration instructions.
  • When Content Gateway is an explicit proxy, configure participating Mac systems and browsers to send HTTP, HTTPS, and FTP requests to the Fully Qualified Domain Name (FQDN) of Content Gateway. Alternatively, specify the IP address of Content Gateway if NTLM is adequate.

    If Content Gateway is a transparent proxy, no additional Mac system or browser configuration is required.

    Important:

    Safari users may be prompted for credentials the first time they open a browser. The user should enter their credentials and check the “Remember password in keychain” check box.

    Firefox users may receive an “Proxy Authentication Required” error message. This is a known issue in FireFox (http://support.mozilla.org/en-US/questions/926378) and is easily corrected by changing the browser configuration. In About:Config set the following options to false:

    • network.automatic-ntlm-auth.allow-proxies
    • network.negotiate-auth.allow-proxies