6.3.5. NTLM Authentication Server

The NTLM option enables transparent (i.e., without requesting a username and password) authorization of Active Directory domain users. With NTLM authorization, the UserGate server works with the domain controllers that authenticate the user for Internet access.

An NTLM server cannot provide a list of users to UserGate, therefore, if the users were not added to UserGate in advance (e.g., as local users or users fetched from an AD domain using an LDAP connector), only users of types Known (those who successfully authenticated with the NTLM server) and Unknown (those who were not authenticated) can be used in filtering policies.

NTLM authentication can work both with a proxy explicitly set in the user's browser (this is the standard mode) and in the transparent mode with no proxy set in the browser. UserGate is configured identically in both authorization modes.

To configure authorization using an NTLM server, follow these steps:



Step 1. Configure time synchronization with the domain controller.

In UserGate settings, turn on time synchronization with NTP servers. Specify the IP addresses of the domain controllers as the primary and (optionally) secondary NTP server.

Step 2. Create DNS records for the UserGate server.

On the domain controller, create DNS records corresponding to the UserGate server to be used as the auth.captive and logout.captive domains (e.g., auth.domain.loc and logout.domain.loc).

Point it to the IP address of a UserGate interface connected to the Trusted network.

Step 3. Change the Captive portal auth domain address.

In the General settings section, change the Captive portal auth domain and (optionally) Captive portal logout domain addresses.

For the Captive portal auth domain, specify the DNS record created at the previous step.

Do the same for the Captive portal logout domain.

For more details on changing the addresses of the captive portal's Auth and Logout domains, see the section Captive Portal Configuration.

Step 4. Add an NTLM server.

In the Auth servers section, click Add, select Add NTLM server, and specify the display name for the server and Windows domain name. For NTLM authentication to work correctly, the domain name specified here must resolve into the IP addresses of the domain controllers.

Step 5. Create a captive portal rule with NTLM authentication.

Configure the captive portal for using the NTLM authentication method. The captive portal is described in more detail in the following chapters.

Step 6. Enable HTTP(S) service access for the zone.

In the Zones section, enable access to the HTTP(S) proxy service for the zone to which the users who are authorized using NTLM are connected.

Step 7. For standard-mode authorization, configure the proxy on the user computers.

On the user computers, turn on mandatory proxy use and specify the IP address of a Trusted interface of UserGate as the proxy address.

Important! You can use a domain name instead of an IP address, but the important thing for NTLM is that this name should not come from the Active Directory domain, otherwise the Windows computer will try to use Kerberos authentication.

Important! The names used as the auth.captive and logout.captive domain in UserGate settings should not come from the Active Directory domain, otherwise the Windows computer will try to use Kerberos authentication.

Step 8. For transparent-mode authorization, configure automatic browser-based user authentication for all zones.

On user computers, go to Control panel --> Internet options --> Security, select the zone Internet --> Custom level --> User Authentication --> Logon and enable Automatic login with current name and password.

Repeat this setting for all other zones configured on this computer (Local intranet, Trusted sites).