Legacy NTLM authentication

Security > Proxy user authentication > Legacy NTLM authentication


	Important This implementation of NTLM support (Legacy NTLM) relies solely on the NTLMSSP protocol. Although it performs reliably as documented in this section, it is highly recommended that the Integrated Windows Authentication mode be used instead. It provides more robust and secure support for NTLM.

1.	WINS resolution is not supported. Domain controllers must have host names that can be resolved by a DNS server.

2.	Extended security is not supported and cannot be enabled on the domain controller.

3.	NTLM2 session security is not supported and cannot be enabled on clients. In the Security Settings area of the Windows operating system, inspect the Network Security: Minimum session security settings.

4.	NTLMv2 is not supported with Active Directory 2008. The required Network Security: LAN Manager Authentication setting is described in step 5 of Configuring NTLM proxy authentication, below.

5.	Not all browsers support transparent NTLM authentication. See Browser limitations.

6.	IP address-based NTLM credential caching is performed when authentication is successful in explicit mode. Transparent proxy authentication caching is handled separately and is configured on the Configuration > Security > Access Control > Transparent Proxy Authentication tab.

1.	Navigate to Configure > My Proxy > Basic > General.

2.	In the Authentication section, click Legacy NTLM On, and click Apply.

3.	Navigate to Configure > Security > Access Control > Legacy NTLM.

4.	In the Domain Controller Hostnames field, enter the hostname of the primary domain controller, followed, optionally, by a comma separated list of backup domain controllers. The format of the hostname must be:


	Note If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445. If you do not use port 445, you must ensure that the Windows Network File Sharing service is running on the Active Directory server. See your Windows Server 2008 documentation for details.


	Note If you are using Active Directory 2008, in the Windows Network Security configuration, LAN Manager Authentication level must be set to Send NTLM response only. See your Windows Server 2008 documentation for details.

5.	Enable Load Balancing if you want the proxy to balance the load when sending authentication requests to multiple domain controllers.


	Note When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.

6.	Fail Open – specifies whether requests are allowed to proceed when user authentication fails.

Disabled – specifies that requests not proceed when authentication failures occur.

Enabled only for critical service failures (default) – specifies that requests proceed if authentication fails due to:

Enabled for all authentication failures, including incorrect password – specifies that requests proceed for all authentication failures, including password failures.

7.	IP address-based NTLM Credential Caching is enabled by default. Credential caching applies only when Content Gateway is an explicit proxy. Credentials are cached when authentication is successful.

8.	Caching TTL sets the time-to-live from entries in the credential cache. The default TTL is 900 seconds (15 minutes). To change the TTL, enter a new value in the entry field. The range of supported values is 300 to 86400 seconds.

9.	If some users use terminal servers to access the Internet through the proxy (e.g., Citrix servers), you must create a list of those servers in the Multi-user IP Exclusions field. Credentials for such users are not cached. Enter a comma separated list of IP addresses and IP address ranges.