Client integrated and basic authentication

Client Integrated (NTLM) and Basic Authentication using Domain Controller authenticates users by means of Windows account names when some users are using Internet Explorer and others are not. Internet Explorer users are automatically authenticated against the Windows Domain Controller using their Windows login credentials. Non-Internet Explorer users are prompted to enter their Windows login credentials, which are authenticated against the Domain Controller.

Configure domain controllers

1. From the System Center Home page, click Proxy Settings > Authentication Settings.
2. Beside the User Authentication is Disabled/Enabled section, click Click here to change these settings.

3. Select Client Integrated and Basic Authentication using Domain Controller, and click Save.

   The Basic Realm Identifier and NTLM Domain Controller sections will appear once you've saved the authentication type.

4. Beside the Basic Realm Identifier section, click Click here to change these settings.

5. Type the name of the Basic Realm identifier to be used, and click Save.

   The realm appears in the authentication dialog that appears in the client's browser, enabling the user to determine why they are being asked to authenticate. It is cached by the browser, along with the user name and password for the duration of the session. The default Basic Realm identifier is 'Clearswift SECURE Web Gateway'.

6. Beside the NTLM Domain Controller section, click Click here to change these settings.
7. Edit the settings depending on whether you want to:
   • Configure automatic detection of domain controllers

     1. Select the Automatically detect Domain Controllers radio button.
     2. Enter the Fully Qualified Domain Name of the realm that you want the Web Gateway to join in the entry box above the radio buttons.

     3. Enter a NetBIOS Domain Name.

        If no domain is entered, it will be set to the first part of the realm.

   • Configure a single domain controller

     1. Select the Use Domain Controller radio button and enter the fully qualified domain name in the entry box next to the button.

     2. Enter the NetBIOS Domain Name in the entry box above the radio buttons.

        The length of this domain name must not exceed 160 characters.

8. Click Save.
9. Click Join Domain in the task panel.
   The Join Domain dialog appears.
10. Enter your user name and password, and click Join.

When you configure Client Integrated Authentication using Domain Controller the Web Gateway is added to the Windows domain. If you subsequently change the name of the Web Gateway it will no longer be recognized by the domain and authentication will not work. When configuring Peer Gateways to use Client Integrated Authentication using Domain Controller, you must configure locally on each peer. If you attempt to configure authentication on a remote peer, it will appear as though authentication has been set up correctly; however, authentication will not work.

After you have applied your configuration, you can verify that users are being correctly authenticated.

Test authentication

1. On the Authentication Settings page, click Test Authentication. The Test Authentication dialog appears.
2. Enter a valid user name and password combination, and click Run Test.

Although Client Integrated Authentication (NTLM) supports user names or passwords that contain non-ASCII characters, the test mechanism does not. You cannot test authentication of user names or passwords containing extended characters.

Enable Apache Access logging

If you want to run diagnostics on your authentication, you can enable Apache Access logging for more information. To do this:

1. Beside the Apache Access Log is Disabled/Enabled section, click Click here to change these settings.
2. To enable or disable the generation of Apache Access logs, select or deselect the Enable Apache access logging check box.