Filter
Top Products
User Management
1014
SonicOS 5.8.1 Administrator Guide
• User group memberships can be set locally by duplicating LDAP user names (set in
the LDAP configuration and applicable when the user group membership mechanism is
LDAP)
• Polling rate
NTLM Authentication of Non-Domain Users
With NTLM, non-domain users could be users who are logged into their PC rather than into the
domain , or could be users who were prompted to enter a user name and password and entered
something other than their domain credentials. In both cases, NTLM allows for distinguishing
these from domain users.
If the user name matches a local user account on the SonicWALL appliance then the NTLM
response is validated locally against the password of that account. If successful, the user is
logged in and given privileges based on that account. User group memberships are set from
the local account, not from LDAP, and (since the password has been validated locally) will
include membership of the Trusted Users group.
If the user name does not match a local user account, the user will not be logged in. The Allow
limited access for non-domain users option does not apply for users authenticated via
NTLM.
Credentials for NTLM Authentication in the Browser
For NTLM authentication, the browser either uses the domain credentials (if the user is logged
into the domain), thus providing full single-sign-on functionality, or prompts the user to enter a
name and password for the website being accessed (the SonicWALL appliance in this case).
Different factors affect the browser’s ability to use the domain credentials when the user is
logged into the domain. These factors depend on the type of browser being used:
• Internet Explorer 7 – Internet Explorer uses the user’s domain credentials and
authenticates transparently if the website that it is logging into (the SonicWALL appliance)
is in the local intranet, according to the Security tab in its Internet Options. This requires
adding the SonicWALL appliance to the list of websites in the Local Intranet zone in the
Internet Options.
This can be done via the domain’s group policy in the Site to Zone Assignment List under
Computer Configuratio
n, Administrative Templates, Windows Components, Internet
Explorer, Internet Control Panel, Security Page.
Note Windows 7 and Vista machines require additional configuration to use RADIUS
authentication with browser NTLM authentication via Internet Explorer. See the
“Configuring NTLMv2 Session Security on Windows” section on page 1088.
• Google Chrome 7 – Chrome behaves the same as Internet Explorer, including requiring
that the SonicWALL appliance is added to the list of websites in the Local Intranet zone in
the Internet Options.
• Firefox 3.6 – Firefox uses the user’s domain credentials and authenticates transparently if
the website that it is logging into (the SonicWALL appliance) is listed in the
network.automatic-ntlm-auth.trusted-uris entry in its configuration (accessed by
entering about:config in the Firefox address bar).
• Safari 3.6 – Although Safari does support NTLM, it does not currently support fully
transparent logon using the user’s domain credentials.