Client integrated authentication

Client Integrated Authentication using Domain Controller (NTLM) automatically authenticates the client's Windows user name and password. The user does not need to enter a name and password unless their browser cannot authenticate against the domain controller, in which case the user is prompted for an alternative. The password is never transmitted; only an encrypted challenge/response. Authentication is performed using the domain controller. Therefore, the Web Gateway must belong to the domain.

Configure domain controllers

1. From the System Center Home page, click Proxy Settings > Authentication Settings.
2. Beside the User Authentication is Disabled/Enabled section, click Click here to change these settings.

3. Select Client Integrated Authentication using Domain Controller, and click Save.

   The NTLM Domain Controller section will appear once you've saved the authentication type.

4. Beside the NTLM Domain Controller section, click Click here to change these settings.
5. Edit the settings depending on whether you want to:
   • Configure automatic detection of domain controllers

     1. Select the Automatically detect Domain Controllers radio button.
     2. Enter the Fully Qualified Domain Name of the realm that you want the Web Gateway to join in the entry box above the radio buttons.

     3. Enter a NetBIOS Domain Name.

        If no domain is entered, it will be set to the first part of the realm.

   • Configure a single domain controller

     1. Select the Use Domain Controller radio button and enter the fully qualified domain name in the entry box next to the button.

     2. Enter the NetBIOS Domain Name in the entry box above the radio buttons.

        The length of this domain name must not exceed 160 characters.

6. Click Save.
7. Click Join Domain in the task panel.
   The Join Domain dialog appears.
8. Enter your user name and password, and click Join.

When you configure Client Integrated Authentication using Domain Controller the Web Gateway is added to the Windows domain. If you subsequently change the name of the Web Gateway it will no longer be recognized by the domain and authentication will not work. When configuring Peer Gateways to use Client Integrated Authentication using Domain Controller, you must configure locally on each peer. If you attempt to configure authentication on a remote peer, it will appear as though authentication has been set up correctly; however, authentication will not work.

After you have applied your configuration, you can verify that users are being correctly authenticated.

Test authentication

1. On the Authentication Settings page, click Test Authentication. The Test Authentication dialog appears.
2. Enter a valid user name and password combination, and click Run Test.

Although Client Integrated Authentication (NTLM) supports user names or passwords that contain non-ASCII characters, the test mechanism does not. You cannot test authentication of user names or passwords containing extended characters.

Enable Apache Access logging

If you want to run diagnostics on your authentication, you can enable Apache Access logging for more information. To do this:

1. Beside the Apache Access Log is Disabled/Enabled section, click Click here to change these settings.
2. To enable or disable the generation of Apache Access logs, select or deselect the Enable Apache access logging check box.