Configuring NTLM authentication

It is recommended to use Kerberos authentication because it is the most robust mechanism. NTLM authentication allows hackers to access user passwords by intercepting network traffic.

After the Microsoft update is released (see ADV190023 LDAP Channel Binding and LDAP Signing for details), NTLM user authentication in Kaspersky Web Traffic Security will no longer work.

To configure NTLM authentication on the proxy server:

1. In the application web interface, select the Settings → Built-in proxy server → Authentication section.
2. In the NTLM field, click the Set up link.

   The NTLM authentication settings window opens.

3. Set the toggle switch to Enabled.
4. In the Domain name field, enter the name of the domain for which you want to configure authentication.

   SRV records are used to search for a domain controller.

   To successfully search for a domain controller on a DNS server, SRV records must be created for the specified domain. These records are usually created automatically when Active Directory is deployed. However, you can manually add them when necessary.

   DNS standard that determines the location, i.e. the host name and port number of servers for specific services.

   You can use the following commands to check for the availability of SRV records and to verify their fields:

   • For Linux operating systems, you can use any of the following commands:
     • host -t srv _ldap._tcp.<specified domain name>
     • dig _ldap._tcp.<specified domain name> srv
     • nslookup -type=srv _ldap._tcp.<specified domain name>

     You must first configure the DNS client for use of the DNS server responsible for the specified DNS zone.

   • For Windows operating systems, use the following command:

     nslookup –type=srv _ldap._tcp.<specified domain name>

   The domain controller search is performed according to the following procedure:

   1. The application receives a list of the SRV records found for the _ldap._tcp.<specified domain name> string.
   2. All records are grouped based on the value of the priority field, from higher priority to lower priority. Within each group, SRV records are sorted by the value of the weight field.

      You can change the fields of SRV records (Priority and Weight) on a DNS server to define the order of connection to domain controllers.

   3. The application attempts to establish a connection with each successive server in the list until the first successful connection.

   4. If no connection could be established with any server from the list, the procedure starts again.
5. If you want to test the connection with the domain controller based on the defined settings, click the Test connection button.

   The test result is displayed on the right of the button.

6. Click Save.

   The proxy server will be restarted. Traffic processing will be paused before the restart completes.

NTLM authentication will be configured. The proxy server will process requests only from those users who complete the authentication procedure.

Page top