Legacy NTLM authentication

Content Gateway supports the NTLM (NT LAN Manager) authentication protocol as a method of ensuring that users in a Windows network are authenticated before they access the Internet.

Important:

This implementation of NTLM support (Legacy NTLM) relies solely on the NTLMSSP protocol. Although it performs reliably as documented in this section, it is highly recommended that the Integrated Windows Authentication mode be used instead. It provides more robust and secure support for NTLM.

If rule-based authentication will be used, configure Legacy NTLM authentication through the Rule-Based Authentication option.

However, read this section to become familiar with Legacy NTLM features and restrictions.

When the Legacy NTLM option is enabled, the proxy challenges users who request content for proof of their credentials. The proxy then sends the proof of the user’s credentials directly to the Windows domain controller to be validated. If the credentials are valid, the proxy serves the requested content and stores the credentials in the NTLM cache for future use. If the credentials are not valid, the proxy sends an authentication failed message.

Restrictions

  1. WINS resolution is not supported. Domain controllers must have host names that can be resolved by a DNS server.
  2. Extended security is not supported and cannot be enabled on the domain controller.
  3. NTLM2 session security is not supported and cannot be enabled on clients. In the Security Settings area of the Windows operating system, inspect the Network Security: Minimum session security settings.
  4. NTLMv2 is not supported with Active Directory 2008. The required Network Security: LAN Manager Authentication setting is described in step 5 of Configuring NTLM proxy authentication, below.
  5. Not all browsers support transparent NTLM authentication. See Browser limitations.

If you are using Legacy NTLM with rule-based authentication, see Rule-Based Authentication, for configuration steps.