Restricting Networks on which SPNEGO Authentication Is Allowed
This section describes the procedure to change networks on which SPNEGO authentication is allowed.
Both SPNEGO authentication and form authentication are available for networks on which SPNEGO authentication is allowed.
Only form authentication is available for other networks.
[ Reference ]
Access from networks on which SPNEGO authentication is allowed requires SPNEGO authentication first.Failed SPNEGO authentication causes an automatic switch-over to form authentication.
However, in some applications, such as the Microsoft Office application (for Windows), *1 a switchover from SPNEGO authentication to form authentication may fail, making form authentication unavailable.When such applications are used from a network on which SPNEGO authentication is unavailable (such as external network on which Kerberos tickets cannot be issued), limiting SPNEGO authentication enables the use of form authentication.
*1 This is because modern authentication is interrupted when a 401 HTTP status code is received.SPNEGO authentication uses the 401 HTTP status code.(When SPNEGO authentication is successful, modern authentication is not interrupted.)
- Click "System" and then "Upstream ID Provider Management."
- Click the URL that appears next to “URL to the settings page” under “Integrated Windows Authentication Provider.”
- The dashboard of the Integrated Windows Authentication provider settings page appears.
- Click “Network Settings.”
Change the settings under “Networks for SPNEGO Authentication,” and then click “Update network settings.”
Option Description Enable SPNEGO authentication in all networks SPNEGO authentication is allowed on all networks. Restrict networks where users can use SPNEGO authentication Networks on which SPNEGO authentication is available are restricted. Source networks Enter the global IP address of networks to allow SPNEGO in CIDR notation (e.g., 203.0.113.0/24).
To input multiple networks, separate them with commas (,) or new lines.