Automatic user authentication using NTLM
Kerio Control supports automatic user authentication by the NTLMNT LAN Manager - Security protocols that provide authentication for Windows networks. method (authentication from web browsers). Once they are authenticated for the domain, users do not need to type their usernames and passwords.
This article provides detailed conditions and configuration settings for correct functioning of NTLM.
Prerequisites
- Join Kerio Control to the Microsoft Active DirectoryA directory service for Windows domain networks. domain with a valid DNSDomain Name System - A database enables the translation of hostnames to IP addresses and provides other domain related information. name as a Kerio Control server name. For more information refer to Connecting Kerio Control to directory service.
- Join client hosts to the domain.
- Install a valid SSL certificateSSL certificates are used to authenticate an identity on a server. for the web interface and configure it correctly in Kerio Control. For more information refer to Configuring SSL certificates in Kerio Control. SSL certificates can be configured and distributed using Group Policy Settings. For more information refer to Deploying Kerio Control certificate via Microsoft Active Directory.
- Configure browsers to trust the Kerio Control hostname, if necessary. See Configuring web browsers below.
Configuring NTLM in Kerio Control
For successful configuration, enable NTLM authentication and a DNS name in the Kerio Control settings:
- In the administration interface, go to Domains and User Login.
- (Optional) On the Authentication Options tab, select Always require users to be authenticated when accessing web pages.
- Select Enable automatic authentication using NTLM.
- Click Apply.
Kerio Control is now configured properly to use the NTLM authentication.
Next, you need to configure browsers on client hosts.
Configuring web browsers
For proper functioning of NTLM, only use browsers that support this method:
NOTE
Edge does not support NTLM yet.
Setting Microsoft Internet Explorer
In Internet Explorer, you must enable integrated Windows authentication and add the Kerio Control server name to trusted servers in its security settings:
- Open Internet Explorer
- Click Tools > Internet Options.
- Click the Advanced tab.
- Select Enable integrated Windows Authentication.
- Restart Internet Explorer.
Internet Explorer is now properly configured and NTLM authentication should work. Users do not have to authenticate with Kerio Control credentials.
If NTLM does not work, you may have problems with Kerio Control server name. In this case:
- Go to Tools > Internet Options.
- Click the Security tab
- Select Local Intranet.
- Click Sites
- In the Local Intranet dialog box, click Advanced.
- Add the Kerio Control server name to the
list of trusted servers. For
increased security, type the server name in this format:
https://server.company.com
Setting Mozilla Firefox
- Open Mozilla Firefox.
- Type
about:config
in the address bar. - Use the filter to search for
network.automatic-ntlm-auth.trusted-uris
- Double-click the item.
- In the dialog box, add the Kerio Control server name. For
increased security, type the server name in this format:
https://server.company.com
Mozilla Firefox is now properly configured and NTLM authentication works. Users do not need to authenticate with Kerio Control credentials.
Setting Google Chrome
Chrome uses Internet Explorer's security configuration, so one way to configure Chrome's settings is to configure Internet Explorer. Google Chrome adopts the same settings, so NTLM authentication will work.
Troubleshooting
Time Settings
If NTLM does not work properly, verify that the time on Domain ControllerA server ensures authentication process in Microsoft Active Directory., Kerio Control, and client hosts is the same.
To have the same time on all computers in your network, use an NTP server.
In Kerio Control, you can configure date and time settings in the Advanced Options section on the System Configuration tab.
Kerio Control server name is not a valid DNS name
If you have problems with NTLM, verify that the Kerio Control server name is correct.
1. Go to Advanced Options > Web Interface.
2. Select Use specified hostname.
3. Type a valid DNS name of the Kerio Control server.
Failed authentication due to old credentials in Windows Password Manager
NTLM authentication runs in the background users — cannot see it.
The Kerio Control log-in dialog box is displayed only if NTLM authentication fails. Kerio Control records information about
failed authentication in the Error log.
NTLM authentication may fail in Internet Explorer if invalid credentials are saved in Windows Password Manager. Remove
all Kerio Control usernames and passwords from Windows Password Manager.