Require NTLM Authentication Credentials Assertion
The Require NTLM Authentication Credentials assertion allows a single point of authentication via NTLM, in addition to the ability to receive authorization data used to control resource access. This data includes the full user name, home directory path, user account permissions and Group membership.
Require NTLM Authentication Credentialsassertion allows a single point of authentication via NTLM, in addition to the ability to receive authorization data used to control resource access. This data includes the full user name, home directory path, user account permissions and Group membership.
The connection is authenticated via an NTLM or Negotiate protocol and the CA API Gateway will challenge the requester until a security context has been established. Once the first authentication is established, the connection will continue to be authenticated until either the connection drops or the authentication times out.
Once NTLM Authentication has been established, you can use the Authenticate Against Identity Provider or Authenticate User or Group assertions to provide further authorization of the user.
Keep in mind of the following points while using the Require NTLM Authentication Credentials assertion:
- The LDAP Identity Provider used in these assertions must match the one used in the Require NTLM Authentication Credentials assertion. Changes to this assertion do not affect established connections.
- You can have only one active (executed) Require NTLM Authentication Credentials assertion in the policy. The others may be present but should not be executed at the same time. The others may be present but should not be executed at the same time, otherwise connection issues may occur.
- NTLM Proxy authentication is not supported in this version. Use pass-through NTLM instead.
- Users with single or multi-byte non-English characters in their names are not supported for NTLM authentication. (As per RFC-4120 , Kerberos Principal names cannot contain non-ASCII characters.)
You may encounter NTLM connection issues when using the Chrome browser. CA recommends using the Internet Explorer or Mozilla Firefox browsers.
- To be able to perform NTLM Authentication, a computer account with sufficient privileges must exist to call the Netlogon service on behalf of the client in the authenticating domain.
- Trust between Active Directory domains must exist in order to perform NTLM pass-through authentication.
- NTLM Configuration must already be enabled in the LDAP Identity Provider Wizard. For more information, see LDAP Identity Provider Wizard.
Context Variables Created by This Assertion
The Require NTLM Authentication Credentials assertion sets the following context variables for inbound NTLM requests, upon successful NTLM authentication. The default
<prefix>is "ntlm" and can be changed in the assertion properties."
The variables in the table below (except for sAMAccountName) are set only if the user account has the corresponding values set in the Active Directory.
This is the pre-Windows 2000 user name, which is the only required variable prefix.
Contains the full user name of the account (first and last name).
Contains the home directory path from the account profile.
Contains the home directory drive from the account profile.
Sets the user flags for permissions.
Contains the session key from the Netlogon server.
Contains the SID of the primary group.
This is a list of any additional SIDS of which the account is a member.
The domain to which the user is logged.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Adding an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- When adding the assertion,Require NTLM Authentication Credentialsautomatically appears. When modifying the assertion, right-clickRequire NTLM Authentication Credentialsin the policy window and selectNTLM Authentication Propertiesor double-click the assertion in the policy window. The assertion properties are displayed.
- An authenticated connection can have one of the following maximum types of durations.SettingDescriptionDefaultThe timeout is unlimited.CustomThis is a timeout specific to the assertion, which can range from 0 to 2147483647.0This is the same as "Default", in which there is an unlimited time duration.Variable PrefixEnter a prefix that will be added to the context variables created by this assertion?. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.The default prefix isntlm.For an explanation of the validation messages displayed, see Context Variable Validation.
- Click [OK] when done.
Once the maximum timeout period has been reached, the Gateway will request the client to re-authenticate.