Configuring domain name scans
December 13, 2023
ID 189886
It is recommended to enable scanning of domain names to ensure correct application of traffic processing rules and criteria of user affiliation to workspaces. You can disable scanning of domain names if your organization saves the domain names of users in browser settings with a blank domain portion or in a format that is not supported by the application.
Different formats of domain names are obtained from combinations of the following elements of a user account:
- NETBIOS name – unique domain name consisting of a 16-byte address for identification in the local area network.
- DNS name – domain name that includes the names of all parent domains of the DNS hierarchy separated by a dot.
- sAMAccountName – user account name in pre-Windows 2000 format.
- UPN name (User Principal Name) – user account name consisting of a UPN prefix (input name) and UPN suffix (domain name) separated by the @ character.
The DNS name is used as the UPN suffix by default. You can specify alternate UPN suffixes and select them in the account properties instead of a DNS name.
In the Active Directory snap-in, these elements correspond to the fields presented in the example below, where:
name– UPN prefixtest.local– DNS nameTEST– NETBIOS namelastname– sAMAccountNametest.com– alternate UPN suffix
Properties of the domain and user account in the Active Directory snap-in
If domain name scans are disabled, user authentication is performed in accordance with the table presented below.
Authentication when domain name scans are disabled
Domain name format | Example | Authentication |
|---|---|---|
DNS-Name\sAMAccountName | test.local\lastname | Performed. |
NETBIOS-Name\sAMAccountName | test\lastname | Performed. |
UPN-Suffix\sAMAccountName | test.com\lastname | Performed. |
<any value>\sAMAccountName | <any value>\lastname | Performed. |
DNS-Name\UPN-Prefix | test.local\name | Not performed. |
NETBIOS-Name\UPN-Prefix | test\name | Not performed. |
UPN-Suffix\UPN-Prefix | test.com\name | Not performed. |
UPN-Prefix@DNS-Name | name@test.local | Performed, if the DNS name of the domain is used as the user UPN prefix. |
UPN-Prefix@NETBIOS-Name | name@test | Not performed. |
UPN-Prefix@UPN-Suffix | name@test.com | Performed, if the specified UPN suffix is used as the user UPN suffix. |
sAMAccountName@DNS-Name | lastname@test.local | Performed. |
sAMAccountName@NETBIOS-Name | lastname@test | Performed. |
sAMAccountName@UPN-Suffix | lastname@test.com | Not performed. |
If domain name scans are enabled, the application will allow user authentication only when the domain name is specified in a supported format. In this case, the application will be able to correctly recognize a user and apply the defined settings of traffic processing rules and workspaces.
The formats of domain names supported by the application in the current version and in version 6.0 are presented in the table below.
Supported formats of domain names
Format | Example | Support in version 6.0 |
|---|---|---|
NETBIOS\sAMAccountName | TEST\lastname | Yes |
sAMAccountName@NETBIOS | lastname@TEST | No |
sAMAccountName@DNS-Name | lastname@test.local | Yes |
DNS-Name\sAMAccountName | test.local\lastname | No |
UPN-Prefix@UPN-Suffix | name@test.com | No |
To configure domain name scans:
- In the application web interface, select the Settings → Built-in proxy server → Authentication section.
- In the NTLM field, click the Set up link.
The NTLM authentication settings window opens.
- Set the Check domain names toggle switch to Enabled.
- In the Allowed DNS/NETBIOS domain names field, specify the allowed domain name.
- If you want to add multiple names, click the
icon and specify the name in the entry field that appears. - Click Save.
The proxy server will be restarted. Traffic processing will be paused before the restart completes.
Domain name scans will be configured. When authentication is attempted with a domain name that has not been specified as an allowed domain name, the proxy server will not relay the authentication request to the Active Directory server. The user will have to re-enter the account credentials.
