Ticket from the Windows-NETBIOS-domain (NTLM)

The NTLMv2 method is used as a default for authentication in the operating systems Windows Vista, Windows 7 and Windows Server 2008 R2.

The NTLM authentication is used by FirstSpirit Server if the NTLM login module is used for the login process. The NTLM login module is not compatible with NTLMv2. When using the aforementioned operating system versions and the NTLM login module, the setting of the LAN manager authentication level must be changed and NTLM(v1) allowed.

JAAS module name: de.espirit.firstspirit.server.authentication.NTLMLoginModule

A ticket created during login in a Windows domain is accepted. Editors only have to login once at their workstation, since the web browser automatically transfers the ticket to FirstSpirit. Only the Microsoft Internet Explorer is currently supported as web browsers for this login method. The Windows domains permitted for login are specified via parameter domains. Domain servers can be additionally specified as an option.

Entries for the parameter “domains” are possible as follows:
"Browser-Domain:Domain-Controller1,Domain-Controller2".

It is possible to enter multiple domains which are consecutively checked for login.
; is used as separator.           
Example:
"Browser-Domain1:dc1,dc2;Browser-Domain2:dc3,dc4"

Using the userAgents parameter: Here it is possible to enter a search pattern to activate NTLM login for selected web browsers only, as NTLM uses an HTTP header which does not fully conform to the standard ("WWW-Authenticate: Negotiate"); several older web browsers interpret this as an error. To use NTLM for all web browsers, enter ".*".    
Default value: ".*MSIE.*"

The module supports NETBIOS and Active Directory domains. “Browser-Domain” is the domain transferred by the web browser to the FirstSpirit Server in the login credentials. During login a search is carried out for an entry which matches the browser domain. The login credentials is subsequently sent to the specified domain controller for checks.

If a domain has not been entered, the login credentials is always checked at the entered domain controller(s) irrespective of the domain transferred by the browser; example “:Domaincontroller1,Domaincontroller2”.        

Adapt security settings

• If the Mozilla Firefox browser is used, the following configurations are recommended, since Mozilla Firefox does not transfer the domain of the user account to the server: “:Domaincontroller1,Domaincontroller2”.
• If the Internet Explorer is used, the following configurations are recommended: “:Domaincontroller1,Domaincontroller”2 or       
  “Browser-Domain:Domaincontroller1,Domaincontroller2”.
• If both browsers are to be used, it is possible to combine the configurations by separating them with ;.

If login with ticket does not work when using the Internet Explorer, set the security settings as shown in the figure. User authentication should be set to “Automatic login with current user name and password”. Additionally add the host name of the FirstSpirit Server at “Trusted sites”.

Settings in the operating system for adapting the behaviour to NTLM(v1)

Network security: LAN manager authentication level

The following instruction explains how to change over the operating system to the previous behaviour:

Default setting in Windows XP

1. Press Application key + R
2. enter secpol.msc and press Enter
3. Switch to “Local Policies / Security Options”: (see Figure: Network security: LAN manager authentication level)        
4. A window opens when the “Network security: LAN Manager authentication level” entry is double clicked.     
5. NTLM must be allowed as a value for the LAN authentication in this window (see Figure: Default setting in Windows XP).
6. The selection must be confirmed with the OK button.

In addition to the NTLM login module, the Kerberos login module is also available. To use Kerberos, unlike NTLM, it is not necessary to make any changes to the settings in the operating system and it is the preferred option.