Forum Discussion
CirrostratusSimple NTLM
I have done a lot of stuff with SSO using kerberos and SAML, but never delved into the NTLM side of things. I have, what I would think, is a really simple need.
I have a backend SharePoint server that is looking to do NTLM authentication with users. I want to create a logon page that has username/password/domain fields (that is easy enough). I want to authenticate the user against AD (which works fine) and then send the username/password/domain information to the server so that I can avoid that pesky Windows Security box.
I've read a lot of "how to do seamless NTLM" but the problem is I don't necessarily want it to be seamless (at least not as I've seen that defined). I need the users to hit the logon page and for the credentials that they enter to be sent to the server (the reality is they are logging in with different domain accounts than what their machine is currently using).
Is this possible? All I want is to avoid the windows security window so that the user doesn't have to enter the credentials twice.
3 Replies
- Kevin_Stewart
Employee
NTLM SSO is pretty straight forward. It requires a username, password, and domain name as inputs, which are taken from session variables. If you look at an NTLMv2 SSO profile, you'll see a set of default session variables for these three values. You just need to make sure that your access policy populates these three values before the Allow block. The one trick here is that the logon page sets the session.logon.last.username and session.logon.last.password (and optionally the session.logon.last.domain) session variables, and stores the password in secure encrypted storage. To access that (decrypted) password at the SSO, you need the SSO Credential Mapping agent in the visual policy path, which natively creates the session.sso.token.last.username and session.sso.token.last.password variables that the SSO needs. So at a minimum,
Start -> Logon Page -> AD Auth -> SSO Credential Map -> Allow (SSO applied to the access policy) - Kevin_Stewart
What APM version are you on? If you create a new NTLMV2 SSO profile, the default username and password sources should be session.sso.token.last.username and session.sso.token.last.password, respectively. In any case, the SSO credential mapping agent takes the password variable you specify (the encrypted session.logon.last.password value from the logon page by default), decrypts it, and puts that decrypted value into session.sso.token.last.password.
- Kevin_Stewart
NTLM Auth result is a client side (AAA) NTLM function. You don't need that here. So basically the server sends an initial 401 and the NTLM SSO counters that with its challenge response (based on your inserted credentials). If the server doesn't like these credentials, it'll respond with another 401.
