Hello,
Until now we used AD-SSO and it worked. Now we're in the process of hardening our AD and want to disable NTLM as far as possible.
Since the UPM uses NTLMv2 for SSO that's a problem. Of course we can define an exception to still allow NTLMv2 for the UTM but we want to avoid that. And if the UPM looses connection to the AD and needs to be joined again (had happened after some updates in the past) we still have to re-enable NTLMv1 and SMB1 on the DCs for the joining-process as far as i understand. That's alot of work in our environment.
That brings up multiple questions.
1. Is there a way to use AD-SSO without NTLM (Kerberos/Ldaps only)?
2. If not, is it "secure" to use "simple user athentication" instead with ldaps against AD? Background of that question: I don't know how authentication against the proxy works with this setting and it's hard to find information about the details. I'm worried about compromised AD-Accounts by things like extracting/cracking hashes or sniffing clear-text passwords submitted somewhere.
3. What is the most "secure" way to do proxy authentication in your opinion? Local users/groups on the utm? We need to apply different filters to different users on the same machine (Terminal-Server for Internet-Access).
Thanks for reading. Hope you can help me.
This thread was automatically locked due to age.
