[KB7241] Resolve the intranet single sign-on authentication issues with TLS filtering activated

Issue

  • ESET Windows endpoint products with TLS filtering enabled cannotconnect to an intranet or localhost site using HTTPS
  • Youare asked for the password repeatedly, but the credentials are rejected
  • Single sign-on does not work with TLS filtering enabled in ESET endpoint products when accessing intranet sites using HTTPS
  • Credentials must be entered manually using an HTML form.
  • Create an exception on the affected computers to resolve the issue

Details

This situation can occur if the authentication is based on protocols such as SPNEGO (WWW-Authenticate: Negotiate), Kerberos, NTLM and if Channel Binding Tokens are utilized.

This behavior is a security feature of the underlying authentication protocol:

Solution

Create an exception on the affected computers-preferred solution

  1. Open the main program window of your ESET Windowsproduct.
  2. Press the F5 key to access Advanced Setup.
  3. ClickWeb and Email,expandSSL/TLSand next toList of known certificatesclick Edit.

Figure 1-1

  1. Click Add.

Figure 1-2

  1. ClickURLandin theURL address field, type the domain name of the server and then click OK. To import the certificate manually, click File.

    Figure 1-3

  2. Next to Scan action, selectIgnore and click OK.

Figure 1-4

  1. Click OK → OKto confirm the configuration change.

Figure 1-5

If you are managing ESET endpoint products remotely using ESET Security Management Center (or ERA/ECA), apply these settings as a policy.


Disable the "Extended Protection for Authentication" feature on the server

Disabling this feature will leave your server vulnerable to Man in the Middle attacks and is not recommended. We recommend that you attempt the solution above.

For more information see: