Which Authentication Scheme to Use on Proxy¶
We are trying to integrate our proxy with Microsoft Active Directory and would like to find out which authentication scheme should be used?
By default, Web Safety proxy Admin UI allows to configure three authentication schemes for Microsoft Active Directory. Each scheme comes with it own pros and cons. Before going into details of each, note the proxy authentication is stateless, thus every request to the proxy must be authenticated. The proxy cannot cache authentication.
Basic LDAP
When you use Basic LDAP proxy authentication, the proxy asks the browser to present user credentials and then binds to the LDAP server using those. The credentials need to be provided in a very specific form like user@domain or DOMAINuser or even as LDAP DN name of the user. It is hard to say which form of the credentials will work and it is even harder to educate your users on which form of the creds to type into the proxy authentication popup. Also for system services - and all components of Windows have those - there are no one to actually type the credentials (see Basic LDAP with Crypto API and Internet Explorer). One more problem is that the browser usually caches the credentials the user entered and keeps trying them until it fails - thus LDAP server may consider this as brute force attack and lock the user account out.
NTLM
When you use NTLM everything is supposed to be transparent to the user and the browser will provide the NTLM credentials of the logged-on user automatically. Take into account though that for NTLM authentication the product again uses LDAP binding behind the scenes when the proxy tries to bind to the LDAP server using NTLM creds presented by the browser. This may also lead to locking the account out because of too many requests coming from the proxy at the same time.
Kerberos
Finally knowing all these problems around 20 years ago Microsoft adopted Kerberos proxy authentication which does not have all the problems described above. The user workstation asks the Kerberos server only once upon logon and then uses the retrieved ticket for all proxy authentication attempts automatically for a given user (be it actual user behind the keyboard or system service). It is though a little harder to set up, see Integration with Microsoft Active Directory, but nevertheless can be done by carefully following the steps we describe in the docs.
Moreover, if you need a proxy that does this automatically, look at our native Microsoft Windows Web Filtering Proxy project. In that case installing a proxy on a domain joined machine is usually enough. See https://webproxy.diladele.com/docs/authentication/active_directory/