Authentication Methods

Method Description Policy Type
No authentication Identifies users by their IP address only. All requests are assigned to the Unauthenticated IPs user group. Both
Negotiate Kerberos/NTLM

Negotiates with the device to determine whether it uses Kerberos or NTLM authentication. This is useful for devices that support various authentication methods, such as browsers and software applications. The Smoothwall Filter offers both methods to the device so that it can use the most secure method that it supports. The account specified on the Directories page must have permission to connect the device to the domain.

Note: Devices must be connected to the same Active Directory domain for this to work seamlessly. However, devices not connected to the domain can still use this authentication method. Typically done by requesting the user to enter valid domain credentials.

Non-Transparent
Negotiate Kerberos/NTLM (Terminal Services compatibility mode)

Negotiates with the device to determine whether it uses Kerberos or NTLM authentication. This is useful for devices that support various authentication methods, such as browsers and software applications. The Smoothwall Filter offers both methods to the device so that it can use the most secure method that it supports. The account specified on the Directories page must have permission to connect the device to the domain. This method works with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might connect from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see the help topic, Adding new Smoothwall Firewall rules.

Note: Devices must be connected to the same Active Directory domain for this to work seamlessly. However, devices not connected to the domain can still use this authentication method. Typically done by requesting the user to enter valid domain credentials.

Non-Transparent
Kerberos Identifies users by using the Kerberos keytab added to the Smoothwall Filter, see the help topic, Adding Kerberos keytabs. Non-Transparent
Kerberos (Terminal Services compatibility mode) Identifies users by using the Kerberos keytab added to the Smoothwall Filter, see the help topic, Adding Kerberos keytabs. This method is designed to work with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see the help topic, Adding new Smoothwall Firewall rules. Non-Transparent
Proxy authentication Identifies users by requesting a username and password from the user’s browser. This authentication method prompts users to enter a username and password when they try to use their web browser. The username and password details are encoded in all future requests made by the user’s browser. Non-Transparent
Proxy authentication (Terminal Services compatibility mode) Identifies users by requesting a username and password from the user’s browser. This method is designed to work with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see the help topic, Adding new Smoothwall Firewall rules. Non-Transparent
NTLM identification

Identifies users based on the username used to log into their Windows-based device.

Note: NTLM identification doesn't verify a user's credentials. You should only use it where all devices are secured and are members of a Windows domain. Unsecured devices can spoof their credentials. The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames.

Non-Transparent
NTLM identification (Terminal Services compatibility mode)

Identifies users based on the username used to log into their Windows-based device. It can be used in conjunction with Microsoft Terminal Services. This method works with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see the help topic, Adding new Smoothwall Firewall rules.

Note: NTLM identification doesn't verify a user’s credentials. You should only use it where all devices are secured and are members of a Windows domain. Unsecured devices can spoof their credentials. The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames.

Non-Transparent
NTLM authentication

Identifies users based on the username used to log into their Windows-based device and validates their credentials with the domain controller. However, there must be a device account for the Smoothwall Filter in the Active Directory and the account specified on the Directories page must have permission to connect the device to the domain.

Note: The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames

Non-Transparent
NTLM authentication (Terminal Services compatibility mode)

Identifies users according to the username logged into their Windows-based device and validate their credentials with the domain controller. Can be used in conjunction with Microsoft Terminal Services. However, there must be a device account for the Smoothwall Filter in Active Directory and the account specified on the Directories page must have permission to connect the device to the domain. This method is designed to work with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see the help topic, Adding new Smoothwall Firewall rules.

Note: The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames.

Non-Transparent
Redirect users to SSL Login page (with background tab)

Identifies users with the authentication service. If no user is logged in, redirect web requests to the SSL Login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method, the SSL Login page refreshes itself automatically so that the authentication time-out period doesn't elapse. Because of this, the user must always leave the SSL Login page open. Select this method if a user’s browser can't accept cookies. This method is also suitable if a user’s browser plug-ins or applications need the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s device and the Smoothwall Filter is encrypted. To securely log out, the user must click Logout on the SSL Login page. See the help topic, Customizing the SSL Login Page.

Both
Redirect users to SSL Login page (with session cookie) Identifies users with the authentication service. If no user is logged in, redirect web requests to the SSL Login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method stores a session cookie on the user’s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices, which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s device and the Smoothwall Filter is encrypted. To securely log out, the user must click Logout from the SSL Login page. See the help topic, Customizing the SSL Login Page. Both
Redirect users to non-SSL login page (with background tab)

If a user’s browser can't accept cookies or if a user’s browser plug-ins or applications need the authenticated session to remain active. If the device isn't logged in, web requests are redirected to the non-SSL login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method, the non-SSL login page automatically refreshes itself so that the authentication time-out period doesn't elapse. Because of this, the user must always leave the non-SSL login page open. To securely log out, the user must click Logout on the non-SSL login page. See the help topic, Customizing the SSL Login Page.

Note: This page isn't secure because it uses HTTP to submit the username and password, but avoids the certificate needed for SSL login.

Both
Redirect users to non-SSL login page (with session cookie)

This method is useful for users of tablets and other mobile devices, which have problems keeping tabs in browsers open in the background. If the device isn't logged in, web requests are redirected to the non-SSL Login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method, the Smoothwall stores a session cookie in the user’s browser. The cookie removes the need for the user to reauthenticate. To securely log out, the user must click Logout from the non-SSL Login page. See the help topic, Customizing the SSL Login Page.

Note: The page isn't secure because it uses HTTP to submit the username and password, but avoids the certificate needed for SSL login.

Both
Core authentication

Identifies users with the authentication service. If the user hasn't authenticated, they're identified by their IP address because authentication service supports only one user by device IP address. The request is assigned to the Unauthenticated IPs group. If an unauthenticated request ends up at a block page, if configured, the user can go to the SSL or non-SSL login page to attempt authentication. This way, you can control what sites anonymous users can access, with authenticated users gaining a higher level of access.

Both
Ident Identifies users according to the username returned by an Ident server running on their device. Ident doesn't verify a user’s credentials. It should only be used where all device devices are secured and running an Ident server controlled by the network administrator. Unsecured devices can spoof their credentials. The Smoothwall Filter supports Ident for compatibility with any Ident networks your organization might already be using. Networks supporting Ident authentication need an Ident server application to be installed on all devices that can be queried by Ident systems. The user doesn't need to enter their username because it's automatically supplied by the Ident server application. Once a user’s Ident server has identified the user, the user’s web activities are filtered according to their authentication group membership. Refer to the Ident server’s administrator's guide. Non-Transparent
Identification by location Identifies users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain devices don't support the authentication method used by the rest of the network. See the help topics, Configuring identification by location and, Creating location objects. Both
Negotiate Kerberos/NTLM (via redirect)

Negotiates with the device to identify whether it uses Kerberos or NTLM authentication. This is useful for devices that support various authentication methods, such as browsers and software applications. The Smoothwall Filter offers both methods to the device so that it can use the most secure method that it supports. The account specified on the Directories page must have permission to connect the device to the domain.

Note: Devices must be connected to the same Active Directory domain for this to work seamlessly. However, devices not connected to the domain can still use this authentication method. Typically done by requesting the user to enter valid domain credentials.

Transparent
Kerberos (via redirect) Identifies users with the authentication service. If no user is logged in, redirect Web requests to the Kerberos login page, which obtains the username logged into their Windows-based device. See the help topic, Adding Kerberos keytabs. The authentication service supports only one user per device IP address. Both
Smart redirect Identifies the user’s device to redirect them to an NTLM authentication service, or an SSL login service. This redirect is based on the User-Agent data received in the browser’s HTTP header packet. This is a best-guess scenario, based on pattern-matching and compatibility. Within the user activity screen, see the help topic, Banning or logging a user out, smart redirected users will show the authentication method used, not Smart redirect. Both
NTLM identification (via redirect) Identifies users with the authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Windows-based device. The authentication service supports only one user per device IP address. This option is for backward compatibility with earlier versions of the Smoothwall Filter. Both
NTLM authentication (via redirect) Identifies users with the authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Windows-based device and validates their credentials with the domain controller. The authentication service supports only one user per device IP address. This option is for backward compatibility with earlier versions of the Smoothwall Filter. Both
Global Proxy using NTLM

Identifies users using the Secure Global Proxy service. Users must be logged in using NTLM credentials. You can implement device authentication using certificates on your devices. For a detailed description of how to configure these, see the help topic, About the global proxy.

Note: Even if your Smoothwall Filter has multiple internal interfaces, you can only create one Global Proxy using NTLM authentication policy. Turning on this policy adds the Smoothwall Firewall rules to allow external access to the proxy port automatically.

Non-Transparent

Something not right? .