8.2. Authentication in HTTP and HTTPS

For the audited HTTP and HTTPS connections, PSM supports the following inband authentication methods for the HTTP protocol. These authentication methods are automatically supported for every Connection policy, without further configuration.

  • Basic Access Authentication (according to RFC2617

  • The NTLM authentication method commonly used by Microsoft browsers, proxies, and servers

PSM records the username used in the authentication process into the Username and Remote username fields of the connection database.

For authenticated sessions, PSM can perform group-based user authorization that allows you to finetune access to your servers and services: you can set the required group membership in the Channel policy of the HTTP connection. Note that group-based authorization in HTTP works only for authenticated sessions (for HTTP/HTTPS connections, PSM uses this server only to retrieve the group membership of authenticated users, you cannot authenticate the users to LDAP from PSM). If a username is not available for the session, PSM will permit the connection even if the Remote groups field is set.

PSM does not store failed HTTP authentication attempts in the connection database. This means that the Verdict field of the Search page will never contain CONN-AUTH-FAIL values for HTTP connections.

Note that authentication also affects the way PSM handles HTTP sessions. For details, see Section 8.4, Session-handling in HTTP.