Format

Domains must be identified (added to this file) using the interface in the Content Gateway manager on the Configure > Security > Access Control > Domains tab. Do not edit this configuration file.

Each line in auth_domains.config consists of a set of tags; each tag is followed by its value. For example:

type=<auth_method> name=<unique_name> use_alias=<0 or 1> <additional tags> The set of tags varies depending on the selected authentication method.

The following table lists all of the tags.

Tag Allowed value
type Specifies the authentication method: IWA, NTLM, LDAP
name Specifies a unique name for the domain. This is not the actual domain name, but rather a name that is unique to the proxy and rule-based authentication.
use_alias

Specifies the user name sent to filtering service if authentication is successful.

  • 0 = send actual authenticated user name (default).
  • 1 = send a blank username
  • 2 = send the string specified in auth_name_string
alias Only active if use_alias=2. Specifies the static string to send as the user name for all successful authentications using this rule.

The following table lists the additional tags used with IWA domains.

IWA Tag Allowed Value
winauth_realm Specifies the joined Windows domain to use with the rule. Content Gateway must be joined and active in that domain.

The following table lists the additional tags used with NTLM domains.

NTLM Tag Allowed Value
dc_list Takes the IP address and port number of the primary domain controller (if no port is specified, Content Gateway uses port 139), followed by a comma separated list of secondary domain controllers to be used for load balancing and failover.
dc_load_balance (optional)

Specifies whether load balancing is used:

  • 0 = disabled
  • 1 = enabled
Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.

The following table lists the additional tags used with LDAP domains.

LDAP Tag Allowed Value
server_name Specifies the fully qualified domain name of the LDAP server.
server_port (optional)

Specifies the LDAP server port. The default is 389.

To use the default Global Catalog server port, specify port 3268.

If Secure LDAP is enabled, set the port to 636 or 3269 (the secure LDAP ports).

base_dn (optional) Specifies the LDAP base distinguished name.
uid_filter (optional) Specifies the type of service, if different from that configured on the LDAP tab. Enter sAMAccountName (MS AD) or userPrincipalName (MS AD) for Active Directory, or uid for any other service.
bind_dn (optional)

Specifies the bind distinguished name. This must be a Full Distinguished Name of a user in the LDAP directory service. For example:

CN=John Smith,CN=USERS,DC=MYCOMPANY, DC=COM

bind_pwd (optional) Specifies the password for the bind distinguished name.
sec_bind

Specifies whether Content Gateway will use secure communication with the LDAP server.

  • 0 = disabled
  • 1 = enabled

If enabled, set the LDAP port to 636 or 3269 (secure LDAP ports).