NTLM

 

1Introduction

NT LAN Manager (NTLM) is a Windows Challenge/Response authentication protocol that is often used on networks that include systems running the Windows operating system and Active Directory.

Kerberos authentication adds greater security than NTLM systems on a network and provides Windows-based systems with an integrated single sign-on (SSO) mechanism. While Kerberos is often the preferred authentication method, certain client/server scenarios may require NTLM, such as when a firewall is preventing access to Kerberos services.

NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name. NTLM uses an encrypted challenge/response mechanism to authenticate a user without sending the user’s password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials. This process consist of three messages being exchanged, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication).

Figure 1‑1: NTLM example architecture

Interactive NTLM authentication over a network typically involves two systems: a client system, where the user is requesting authentication, and a domain controller, where information related to the user’s password is kept. Non-interactive authentication, which may be required to permit an already logged-on user to access a resource such as a server application, typically involves three systems: a client, a server (typically an Exchange server) and a domain controller that does the authentication on behalf of the server.

The Edge Security Pack (ESP) on the KEMP LoadMaster supports multiple authentication methods including NTLM. This enables users to seamlessly authenticate to ESP-protected virtual services and be securely proxied to backend applications such as Microsoft Exchange and SharePoint. Document Purpose

The purpose of this document is to provide step-by-step instructions on how to configure the LoadMaster to use NTLM authentication.

1.1Intended Audience

This document is intended to be used by customers who are interested in finding out how to configure the LoadMaster to use NTLM authentication and who already have some understanding of the NTLM protocol.

2Configure NTLM Authentication

A number of steps are required in order to set up and configure NTLM authentication with KEMP LoadMaster and ESP. Refer to the sections below for step-by-step instructions.

2.1Configure Internet Options on the Client Machine

The security site address needs to be added to the local intranet zone on the client machine. To do this, follow the steps below:

  1. Click Start and select Control Panel.

Figure 2‑1: Internet Options

  1. Click Internet Options.

Figure 2‑2: Internet Properties

  1. Select the Security tab.
  2. Click Local intranet.
  3. Click the Sites button.

Figure 2‑3: Advanced

  1. Click Advanced.

Figure 2‑4: Local intranet zone

  1. Enter the address of the security site and click Add.
  2. Click Close.
  3. Click OK.
  4. Click OK again.

2.2Configure the LoadMaster

In order for NTLM to work with the LoadMaster, both a client and server SSO domain need to be created. For instructions on how to add these SSO domains on the LoadMaster, refer to the sections below.

2.2.1Configure the Server Side SSO Domain

To configure the server side SSO domain, follow the steps below in the LoadMaster Web User Interface (WUI):

  1. In the main menu, select Virtual Services > Manage SSO.

Figure 2‑5: Add SSO domain

  1. In the Server Side Single Sign On Configurations section,enter the name of the Single Sign On (SSO) domain in the Name text boxand click Add.

Figure 2‑6: SSO Domain Settings

  1. Select Kerberos Constrained Delegation as the Authentication Protocol.
  2. Enter the Kerberos Realm address and click Set Kerberos realm. Click OK.

The Kerberos realm is usually the domain. The Kerberos realm should be a name (not an IP address), such as kemptech.local. If an IP address is specified, authentication will not work. This field only accepts one name.

Double quotes are not allowed in this field.

  1. Enter the Kerberos Key Distribution Center name and click Set Kerberos KDC. Click OK.

This field only accepts one Key Distribution Center. The Key Distribution Center address is usually the IP address of the Active Directory instance.

Double quotes are not allowed in this field.

  1. Enter the Kerberos Trusted User Name and click Set KCD trusted user name. Click OK.

The Kerberos Trusted User Name needs to be the same as the LoadMaster host name. The trusted user represents the LoadMaster. Refer to the Kerberos Constrained Delegation, Feature Description document for some further key requirements relating to the trusted user account.

Double and single quotes are not allowed in the Kerberos Trusted User Name field.

  1. Enter the Kerberos Trusted User Password and click Set KCD trusted user password. Click OK.

2.2.2Configure the Client Side SSO Domain

Figure 2‑7: Client SSO domain

The client side SSO domain can be created by going to Virtual Services > Manage SSO > Add (in the Client Side Single Sign On Configurations section) and filling out the details as needed. The Authentication Protocol must be set to LDAP for NTLM authentication to work.

2.2.3Configure the Virtual Service

To configure a Virtual Service to use NTLM authentication, follow the steps below.

These steps assume that the Virtual Service has already been set up and configured as needed (apart from the ESP settings). For further information on Virtual Services in general, refer to the Virtual Services and Templates, Feature Description. For further information on the different fields in the LoadMaster WUI, please refer to the Web User Interface (WUI), Configuration Guide.

  1. In the main menu of the LoadMaster WUI, go to Virtual Services > View/Modify Services.
  2. Click Modify on the relevant Virtual Service.
  3. Expand the ESP Options section.

Figure 2‑8: ESP Options

  1. Select the Enable ESP check box to turn ESP on.
  2. Select NTLM as the Client Authentication mode.
  3. Select the client-side SSO domain that was created in Section 2.2.2 in the SSO Domain drop-down list.
  4. Set any Allowed Virtual Hosts and Allowed Virtual Directories, as needed.
  5. Select KCD as the Server Authentication Mode.
  6. Select the server-side SSO domain that was created in Section 2.2.1in the Server Side configuration drop-down list.
  7. Configure any of the other ESP settings as needed.

For further information on the ESP WUI options and ESP in general, please refer to the Edge Security Pack (ESP), Feature Description.

2.3Configure Firefox to Allow NTLM (if needed)

In many organizations, Internet Explorer is configured to allow NTLM on internal sites, but Firefox is not. To configure Firefox to allow certain sites, follow the steps below:

  1. Open Firefox.
  2. In the address bar, type about:config.
  3. A warning may appear, click the button to continue.

Figure 2‑9: Network.automatic results

  1. In the Search text box, enter network.automatic.
  2. Double-click the network.automatic-ntlm-auth.trusted-uris entry.
  3. Enter the relevant site address(s).

Multiple sites can be added by separating them with a comma.

  1. Click OK.

Firefox may need to be restarted for the changes to take effect.

In some environments, the following three parameters might need to be updated:

  • network.automatic-ntlm-auth.trusted-uris
  • network.negotiate-auth.delegation-uris
  • network.negotiate-auth.trusted-uris

Also, the signon.autologin.proxy may need to be changed to true (double-click the parameter to change the value).

2.4Troubleshooting

When troubleshooting problems with NTLM authentication in the LoadMaster, it can be useful to look at the ESP logs.

Figure 2‑10: ESP Options

Various levels of ESP logs can be enabled per-Virtual Service by enabling the check boxes in the ESP Logging section.

Figure 2‑11: Extended Log Files

These logs can then be viewed by going to System Configuration > Logging Options > Extended Log Files. For further information on the ESP logging, refer to the Edge Security Pack (ESP), Feature Description.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

Edge Security Pack (ESP), Feature Description Web User Interface (WUI), Configuration Guide Virtual Services and Templates, Feature Description Kerberos Constrained Delegation, Feature Description

Document History

Date

Change

Reason for Change

Version

Resp.

June 2015

Initial draft

First draft of document

1.0

LB

Oct 2015

Release updates

Updates for 7.1-30 release

3.0

LB

Dec 2015

Release updates

Updates for 7.1-32 release

4.0

LB

Jan 2016

Minor updates

Updated

5.0

LB

July 2016

Minor updates

Removed unneeded section

6.0

LB

Oct 2016

Release updates

Updates for 7.2.36 release

7.0

LB

Was this article helpful?

0 out of 0 found this helpful

Comments