Question:
Why can't I find AD groups for trusted domains while doing a Directory search in access policies?
Environment: Cisco Web Security appliance (WSA), NTLM authentication, Trusted Domains
Symptoms:
- User is trying to look up an "Active Directory Group" to use as a Policy Member Definition in one of his Access Policies and the group is not showing in the Directory Search.
- The group belongs to a trusted AD domain and not the domain the WSA has joined to.
This behavior is by design. While configuring groups in access policies, the groups from trusted domains will not show up in the Directory Search.
On all AsyncOS versions, WSA has the ability to authenticate users from a different domain and match their respective AD groups if the other domain has a two-way trust with the domain joined by WSA.
In such a scenario, we can add the groups from trusted domain in access policies using the below steps:
- Browse to GUI --> Web Security Manager --> Access Policies --> <Policy Name> --> Selected Groups and Users --> Groups
- Manually type in the entire group name, along with the domain name, into the 'Directory Search' field
- Click the "Add" button
- Click done and then Submit & commit the changes
Note that the WSA will not match the manually configured groups if the other domain does not have a 2-way trust relationship with the domain joined by WSA
Note: On AsyncOS versions 7.7 and above, WSA supports multiple NTLM realms and for scenarios where there is no trust relationship between the 2 domains, we can create a new NTLM realm for the second domain. With multiple NTLM realms, WSA can lookup groups from different domains within the access policies.
Feedback