25.2  Automatic user authentication using NTLM

WinRoute supports automatic user authentication by the NTLM method (authentication from Web browsers). Users once authenticated for the domain are not asked for username and password.

This chapter provides detailed description on conditions and configuration settings for correct functioning of NTLM.

General conditions

The following conditions are applied to this authentication method:

  1. WinRoute Firewall Engine is running as a service or it is running under a user account with administrator rights to the WinRoute host.

  2. The server (i.e. the WinRoute host) belongs to a corresponding Windows NT or Active Directory (Windows 2000/2003/2008) domain.

  3. Client host belongs to the domain.

  4. User at the client host is required to authenticate to this domain (i.e. local user accounts cannot be used for this purpose).

  5. The NT domain / Kerberos 5 authentication method (see chapter 15.1  Viewing and definitions of user accounts) must be set for the corresponding user account under WinRoute. NTLM cannot be used for authentication in the internal database.

WinRoute Configuration

NTLM authentication of users from web browsers must be enabled in Users → Authentication Options. User authentication should be required when attempting to access web pages, otherwise enabling NTLM authentication is meaningless.

NTLM — user authentication options

Figure 25.1. NTLM — user authentication options


User authentication in the corresponding NT domain must be enabled.

  • For local user accounts (including accounts imported manually or automatically from the domain) — at the bottom of the Authentication Options tab, NT authentication must be enabled and the corresponding NT domain must be set (e.g. COMPANY).

    Setting of NT authentication for local user accounts

    Figure 25.2. Setting of NT authentication for local user accounts


  • For mapped Active Directory domain — the corresponding NT domain must be set in the particular domain's configuration on the Active Directory tab (for details, refer to chapter 15.4  User accounts in Active Directory — domain mapping).

    Setting of NTLM authentication for a mapped Active Directory domain

    Figure 25.3. Setting of NTLM authentication for a mapped Active Directory domain


The configuration of the WinRoute's web interface must include a valid DNS name of the server on which WinRoute is running (for details, see chapter 11.1  Web interface preferences).

Configuration of WinRoute's Web Interface

Figure 25.4. Configuration of WinRoute's Web Interface


Web browsers

For proper functioning of NTLM, a browser must be used that supports this method. By now, the following browsers are suitable:

  • Internet Explorer version 5.01 or later

  • Firefox or SeaMonkey with the core version Mozilla 1.3 or later

NTLM authentication process

NTLM authentication process differs depending on a browser used.

Internet Explorer

NTLM authentication is performed without user's interaction.

The login dialog is displayed only if NTLM authentication fails (e.g. when user account for user authenticated at the client host does not exist in WinRoute).

Warning

One reason of a NTLM authentication failure can be invalid login username or password saved in the Password Manager in Windows operating systems (Control Panels → User Accounts → Advanced → Password Manager) applying to the corresponding server (i.e. the WinRoute host). In such a case, Internet Explorer sends saved login data instead of NTLM authentication of the user currently logged in. Should any problems regarding NTLM authentication arise, it is recommended to remove all usernames/passwords for the server where WinRoute is installed from the Password Manager.

Firefox/SeaMonkey

The browser displays the login dialog. For security reasons, automatic user authentication is not used by default in the browser. This behaviour of the browser can be changed by modification of configuration parameters — see below.

If authentication fails and direct connection is applied, the firewall's login page is opened automatically (refer to chapter 11.2  User authentication at the web interface). The login dialog is displayed if proxy server is used.

Note: If NTLM authentication fails by any reason, details are recorded in the error log (see chapter 22.8  Error Log).

Firefox/SeaMonkey configuration

Configuration can be changed to enable automatic NTLM authentication — leaving out the login dialog. Check the following example:

  1. Insert about:config in the browser's address bar. The list of configuration parameters is displayed.

  2. Set corresponding configuration parameter(s) using the following instructions:

    • For direct connection (proxy server is not set in the browser):

      Look up the network.automatic-ntlm-auth.trusted-uris parameter. Use the WinRoute host's name as a value for this parameter (e.g. server or server.company.com). This name must match the server name set under Configuration → Advanced Options → Web Interface (see chapter 11.1  Web interface preferences).

      Note: It is not possible to use IP address as a value in this parameter!

    • If WinRoute proxy server is used:

      Look up the network.automatic-ntlm-auth.allow-proxies parameter and set its value to true.

    Configuration changes are applied right away, i.e. it is not necessary to restart the browser.