NTLM (NT Lan Manager) is a Microsoft authentication protocol that enables a user on a Windows domain to authenticate with a website through the browser. NTLM passes the credentials of the user currently logged-in on the machine, on the Windows domain, to the browser to authenticate with the site. When Integrated Windows Authentication is enabled on a site or page, a request for authentication credentials is passed to the user so the site can authenticate the user on the server. With NTLM Authentication enabled, credentials pass from the local machine, through the browser to the site, so the user is automatically logged in without being prompted. For this to work, for the CMS, Active Directory must be enabled, and Single Sign On (SSO) must be set up.
This article provides information and tips on NTLM configuration for various browsers. This includes:
- Internet Explorer
Please note that the information here is not Ektron product. For additional troubleshooting on NTLM settings, seek support from the browser vendors. Additional information is included below for each browser. Results may vary due to system and infrastructure settings and are primarily here as known guidelines.
- In the Location bar, type about:config, and press Enter.
- The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!, to continue to the about:config page.
- In the about:config page, search for the preference network.automatic-ntlm-auth.trusted-uris, and double-click it.
- In the prompt that comes up, type a list of servers you want to allow, separated by a comma and a space. For example, to allow http://myinternalserver and http://anotherinternalserver, type in myinternalserver, anotherinternalserver.
- Press OK.
For more support, please click here.
For Add-Ons, please click here.
For Additional Resources, review here.
For Internet Explorer:
- Start Internet Explorer and go to Tools > Internet Options to display the Internet Options window.
- Switch to Security tab and click Custom level... to configure Security Settings.
- In the Security Settings - Internet Zone window, go to User Authentication > Logon and select Automatic logon with current username and password.
For Google Chrome:
For information on supported Authentication Schemes and steps, please click here. Chrome has been updated (version 5+) has the following:
In Windows, it integrates with the intranet zones setting in 'internet options'.
In Windows only, if the command-line switch is not present, the permitted list consists of those servers in the Local Machine or Local Intranet security zone (for example, when the host in the URL includes a "." character it is outside the Local Intranet security zone), which is the behavior present in IE.
If a challenge comes from a server outside of the permitted list, the user needs to enter the username and password.
For other OSs, you can use the command line switch:
Many references indicate that Chrome has known issues with NTLM Authentication. There is information that suggests that it can be made to work, however it goes from simple to more complex. The information below should assist in configuration.
For additional support issues, please review the support link for Issue 19: Automatic integrated windows Authentication.
For General Support, please visit Google Chrome Help.
Security Update 2005-2009 addresses NTLM issues and is noted that this issue does not affect systems prior Mac OS X v10.4. So it looks like prior to version 2.x, it does not appear that Safari supported NTLM authentication.
There are a few workarounds that suggest that this can be implemented. You can disable Negotiate in favor of pure NTLM in IIS via the NTAuthenticationProviders Metabase setting. Here is an example of the ADSUTIL command.
cscript adsutil.vbs set w3svc/WebSite//NTAuthenticationProviders "NTLM"
Change < SiteID > to the appropriate ID, typically 1.
There are also some software solutions that can be implemented which are reported on Oreilly in the article Using OS X Software behind Proxy Authentication. For additional questions, contact Apple Support.