Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Single-sign-on (SSO) using NTLM Browser Authentication in SonicOS 5.8. and above

03/26/2020 24 People found this article helpful 203,884 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Single-sign-on (SSO) using NTLM Browser Authentication in SonicOS 5.8. and above

    Resolution

    As an enhancement to Single Sign-On, SonicOS can now use NTLM authentication to identify users who are browsing using Mozilla-based browsers (including Internet Explorer, Firefox, Chrome and Safari). NTLM is part of a browser authentication suite known as “Integrated Windows Security” and should be supported by all Mozilla-based browsers. It allows a direct authentication request from the SonicWall appliance to the browser with no SSO agent involvement. NTLM authentication works with browsers on Windows, Linux and Mac PCs, and provides a mechanism to achieve Single Sign-On with Linux and Mac PCs that are not able to interoperate with the SSO agent


    NTL authentication can be used as a supplment to identifying users via an SSO agent or, with some limitations, on its own without the agent. If the user is logged into the domain and the browser sees the SonicWall appliance as being located in the local intranet of the domain then the authentication can be fully automatic and transparent to the user, using the user's domain credentials which the appliance authenticate via RADIUS. In other cases the browser may ask the user to enter credentials to authenticate with the appliance, but even then the browser can cache those credentials so that further authentications will happen transparently. 

    NTLM is a challenge-response authentication protocol. It consists of the following three messages:

    • NEGOTIATE_MESSAGE (Type 1: Sent by client to Server listing supported features.
    • CHALLENGE_MESSAGE (Type 2) Sent by server listing supported and agreed upon features. It also includes a server challenge.
    • AUTHENTICATE_MESSAGE (Type 3): Response from the client containing the domain and username of the client among other things.

    In the SonicWall context when a client computer tries to access a website on the internet, the above translates to the following:

    • Client GET request for the intended website.
    • SonicWall redirects the client to http:///ntlmAuth.html (eg. http://192.168.168.168/ntlmAuth.html)
    • Client NEGOGIATE Message with client OS, workstation domain & workstation name.
    • SonicWall CHALLENGE Message with target domain, server name etc.
    • Client AUTHENTICATE Message with Domain name, User name & Host name.

    Having obtained the user information from the cilent computer, SonicWall queries the RADIUS server whether the user can be allowed access:

    • SonicWall sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access to the client based on the credentials supplied.
    • The RADIUS server responds with Access Accept message to grant access to the client if the credentials supplied by the client meet the criteria defined in the RADIUS server.

    If the client is granted access by the RADIUS server, SonicWall gets the user's group membership information from the LDAP server in the following manner:

    • SonicWall sends a searchRequest message with the cilent's username and domain name to the LDAP server to get group membership information.
    • The LDAP server responds with the CN of the user followed by the user's group membership information.

    Based on the user group membership information and based on CFS, App Control and App Rules policies, SonicWall allows / blocks the user from accessing the requested site.

     

    Deployment:

    This article describes the method to configure Browser NTLM Authentication in SonicWall:

    1. Configuring LDAP in SonicWall
    2.
    Configuring Radius in SonicWall
    3. Configuring SonicWall SSO Agent as the primary single-sign-on method
    4. Configuring SSO using Browser NTLM Authentication
    5. Client Computer Configuration


    Configuring LDAP in SonicWall

    In this section we illustrate the method to configure LDAP NTLM authentication.

    1. Login to the SonicWall managment GUI.
    2. Navigate to the Users > Settings page.
    3. In the Users  > Settings page, select LDAP under Authentication method for login.
    4. Click on Configure to bring up the LDAP Configuration window.
    5. Configure the following settings:
    Image
    Image

     


     

    Configuring Radius in SonicWall

    In this section we illustrate the method to configure RADIUS NTLM authentication.

    1. In the Users > Settings page click on the 3rd Configure button next to RADIUS may also be required for CHAP/NTLM  (Please Note: This option is available only when LDAP is selected as the authentication method). 
    2. Click on Configure to bring up the RADIUS Configuration window.
    3. Configure the following settings:

    Image

     ImageImage


    Configuring SonicWall SSO Agent as the primary single-sign-on method

    Although NTLM can be used as a stand-alone single-sign-on method, SonicWall recommends using the SonicWall SSO Agent as the primary single-sign-on method and use NTLM if the SonicWall SSO Agent fails.

    1. On the Users > Settings page, select SonicWall SSO Agent under Single-sign-on method and click on the Configure button.
    2. In the SonicWall SSO Agent Authentication Configuration window, configure the following settings:

    Image

    Image

    Image

    Image

     


    Configuring SSO using Browser NTLM Authentication

    1. In the Users > Settings page, select Browser NTLM authentication only under Single-sign-on method.
    2. Click on Configure to bring up the SonicWall SSO Agent Authentication Configuration window.
    3. Configure the following settings:

    Image

    Image

    Image


    Client Computer Configuration

    Although in most cases authentication would be automatic using the user's domain credentials, in some cases the browser may prompt the use to enter credentials. Whether the browser will use the domain credentials to give fully transparent and automatic authentication depends on its seeing the appliance domain name or IP address. Browsers may require some configuration to be able to see the appliance domain name or ip address. 

    Internet Explorer, Chrome: It may be necessary to add the appliance's domain name or ip address under Internet Options > Security > Local Intranet > Sites > Advanced. This can also be done using Windows Group Policy.

    Image

    Firefox: Add the appliance's domain name or ip address under About:Config > network.automatic-ntlm-auth.trusted-uris

    Image


    Windows 7 or Vista PCs

    In the newer Windows operating systems like Windows 7 or Vista, NTLM authentication is disabled by default and has to be enabled manually. When enabling NTLM authentication it is not recommended to choose only NTLMv2 as it does not support RADIUS and MS-CHAPv2. To enable NTLM authentication, follow these steps:

    • Open Control Panel
    • Select Administrative Tools
    • Click on Local Security Policy
    • Go to Local Policies > Security Options
    • Edit the "Network Security: LAN Manager authentication level" setting.
    • Set it to "Send NTLM response only" or "Send LM & NTLM - use NTLMv2 session security if negotiated".

    Image

    Once a client computer is successfully authenticated the following log message would appear under Log > View

     

     Image


    Related Articles

    • How to change the HTTP and HTTPS management ports on UTM Appliances using CLI
    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top