6.3.6. NTLM authentication server

NTLM authentication allows you transparently (without requesting credentials) authorize users of Active Directory domains. To perform NTLM authentication, your UserGate server will communicate with the domain controllers and request them to verify a user and provide or prohibit the Internet access.

NTLM servers cannot provide a list of users, and thus if user accounts were not added to UserGate beforehand (e.g. as local users or via LDAP connector), then only users with Known (successfully authorized on a NTLM server) or Unknown (failed to authorize) statuses will be eligible in filtering policies.

NTLM authentication can work both when a proxy server is explicitly provided in a user browser (standard mode) or when no proxy server is provided (transparent mode). In this case, setting up UserGate is similar to the standard authentication.

To set up NTLM authentication, perform the following steps:

Name

Description

Step 1. Set up synchronization of time with the domain controller.

In the UserGate settings, enable synchronization of time with NTP servers and provide IP addresses of the domain controllers as the primary and secondary NTP servers.

Step 2. Create a DNS record for the UserGate server.

On a domain controller, create DNS records corresponding to your UserGate serve domains for auth.captive and logout.captive, e.g. auth.domain.loc and logout.domain.loc.

As an IP address, provide the address of your UserGate interface connected to the Trusted network.

Step 3. Change the address for Captive portal auth domains.

Replace the address in Captive portal auth domain and optionally the address in Captive portal logout domain in the General settings section with the DNS records created in the previous step. For more details on how to change domain addresses for the Captive portal auth and logout domains, please refer to General settings.

Step 4. Add a NTLM authentication server.

Go to Authentication servers, click Add, select Add a NTLM server and then specify the name, IP address of the domain controller, and the domain name.

Step 5. Create a Captive portal rule with NTLM authentication.

Set up the Captive portal for authentication through NTLM. For more details on the Captive portal, please refer to the next chapters of the Guide.

Step 6. Allow access to HTTP(S) for the zone.

In the Zones section, allow access to HTTP(S) proxy for the zone to which the users who authorize through NTLM are connected.

Step 7. Set up the proxy server on user workstations to enable standard authentication.

On the user workstations, enable the mandatory use of a proxy server and specify the IP address of your Trusted UserGate interface as the proxy server address.

Important! You can use domain names instead of IP addresses, but do not specify domain names from Active Directory --- otherwise, Windows-based workstations will be trying to authorize through Kerberos.

Step 8. For authentication in the transparent mode, set up automatic user authentication by a browser across all browser's security zones.

On the user workstations, go to Control panel-->Internet options-->Security, select Internet--> Security-->Custom level-->User Authentication and enable Automatic logon with current name and password.

Repeat this configuration for all other zones available on a given workstation (Local intranet, Trusted sites).