Client integrated authentication

Client Integrated Authentication using Domain Controller (NTLM) automatically authenticates the client's Windows user name and password. The user does not need to enter a name and password unless their browser cannot authenticate against the domain controller, in which case the user is prompted for an alternative. The password is never transmitted; only an encrypted challenge/response. Authentication is performed using the domain controller. Therefore, Secure Web Gateway must belong to the domain.

Configure domain controllers

1. Navigate to System > Proxy Settings > Authentication Settings. The Authentication Settings page is displayed.
2. Move the mouse pointer over the User Authentication is Enabled or the User Authentication is Disabled panel, and click Click here to change these settings.

3. Select Client Integrated Authentication using Domain Controller and click Save.

   When you have selected this authentication type, the NTLM Domain Controller panel will be displayed in the Authentication Settings page.

4. In the NTLM Domain Controller panel, click Click here to change these settings.
5. Edit the settings as required:
   • Configure automatic detection of domain controllers

     1. Select the Automatically detect Domain Controllers.
     2. Enter the Fully Qualified Domain Name of the realm that you want Secure Web Gateway to join.

     3. Enter the NetBIOS Domain Name.

        If no domain is entered, it will be set to the first part of the realm.

   • Configure a single domain controller

     1. Select Use Domain Controller and enter the Fully Qualified Domain Name.
     2. Enter the NetBIOS Domain Name.The length of this domain name must not exceed 160 characters.
6. Click Save.
7. In the task panel, Click Join Domain. The Join Domain dialog is displayed.
8. Enter your User Name and Password, and click Join.

When you configure Client Integrated Authentication using Domain Controller, Secure Web Gateway is added to the Windows domain. If you subsequently change the name of the Gateway, it will no longer be recognized by the domain and authentication will not work. When configuring Peer Gateways to use Client Integrated Authentication using Domain Controller, you must configure locally on each peer. If you attempt to configure authentication on a remote peer, it will appear as though authentication has been set up correctly; however, authentication will not work.

After you have applied your configuration, you can verify that users are being correctly authenticated.

Test authentication

1. On the Authentication Settings page, click Test Authentication in the task panel. The Test Authentication dialog is displayed.
2. Enter User Name and Password combination, then click Run Test.

Although Client Integrated Authentication (NTLM) supports user names or passwords that contain non-ASCII characters, the test mechanism does not. You cannot test authentication of user names or passwords containing extended characters.

Enable Apache Access Log

If you want to run diagnostics on your authentication, you can enable Apache Access logging for more information.

1. In the Apache Access Log is Enabled or the Apache Access Log is Disabled panel, click Click here to change these settings.
2. To enable or disable the generation of the logs, select or clear the Enable Apache access logging check box.