How to use use NTLM 407 authentication to authenticate users in a multi-domain forest
Last Updated November 28, 2011
You seek steps for configuring SWG Proxy mode to authenticate users in a Windows forest with multiple domains.
Configure the Authentication page with domain account credentials and connect it to a Global Catalog server.
To configure SWG NTLM 407 Authentication for multiple domains
Check "Use LDAP to identify end users"
Beside LDAP Server IP or Hostname, type the IP address or hostname of the Global Catalog server to use for authenticating users.
Beside LDAP Port, type 3268
In the Authentication Method dropdown box, select an authentication method.
Fill out the fields "LDAP Seach Base (Base DN)", "User Name", and "Password"
Beside "Test LDAP", click Test.
If the Test fails, diagnose and resolve the test failure before continuing.
In default realm, type the pre-Windows 2000 Domain name. You can find your pre-Windows 2000 Domain name by viewing your Domain properties in the “Active Directory Domains and Trusts” console.
In the field "Primary Domain Controller", type the Fully Qualified Domain Name (FQDN) of the primary domain controller.
(Optional) In the field "Secondary Domain controller", type the FQDN of the secondary domain controller.
Do one of the following: - Check the box "Use LDAP Credentials for Domain Controller" or - Specify credentials in "Domain Controller User Name" and "Domain Controller Password"
Beside "Test NTLM (HTTP 407)", click Test
- As with NTLM 401 Authentication, configuring an SWG appliance for NTLM 407 Authentication and relaying log entries via dcinterface to the same SWG appliance causes uncertain behavior. For any given SWG appliance, use NTLM Authentication or use dcinterface, but never use both at the same time.
- Replicating the memberOf property of each object throughout the forest is a requirement. Failure to do so results in a dc failure to provide the group membership for LDAP users in domains other than the domain containing the service account for LDAP synchronization. In turn, this causes SWG to fail to trigger policies based on LDAP Workgroups.
To identify whether the forest synchronizes memberOf property data
1.At the domain controller of the top level domain, click Start> Run 2.Type: regsvr32 schmmgmt.dll 3.Click Start, click Run, type mmc /a, and then click OK. 4.On the File menu, click Add/Remove Snap-in, and then click Add. 5.Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK. 6. Click the Attributes folder in the snap-in. 7. In the right pane, scroll down to the desired attribute [MemberOf], right-click it, and then click Properties. 8. If "Replicate this attribue to the Global Catalog" is not checked, SWG will not identify workgroup membership in subdomains consistently at this time. Consult your domain administrator to determine the expected impact of checking this option.
- NTLM 407 configuration requires that the interface names on the Network tab of the SWG User Interface (UI) are unique. If more than one SWG is deployed, all SWG appliances must have unique interface names.
- Kerberos authentication for synchronizing LDAP and NTLM Authentication both rely on time. Typically, a domain controller rejects logins from a machine with a time mis-match of five (5) or more minutes.
- The LDAP synchronization performed by SWG appliance DOES NOT TRAVERSE MULTIPLE LAYERS OF LDAP GROUPS. This behavior is by design. When you configure a policy for an LDAP Workgroup, only LDAP users that are direct members of that LDAP Workgroup trigger that LDAP enabled policy. To confirm LDAP workgroup membership, open the properties of the user account in Active Directory Users & Computers, and examine the memberOf tab.
- The LDAP synchronization performed by SWG appliance occurs once every 168 hours by default. When an LDAP user does not trigger an LDAP enabled policy because they were added to the LDAP workgroup after the most recent sync, you can manually Refresh that user on a User Report as follows:
Logon to a client machine with the account in question
Visit a blocked web site
On the Custom Reports page, search for and click on the LDAP Username
The page that appears is the User Report for that user.
Click the Refresh button in the upper right hand corner.
- A trust relationship exists between the Windows domains in the forest. - SWG 5.0.x is in either Proxy or Inline+Proxy mode - The schema is set so that the memberOf property is replicated throughout the forest.
Imported Document ID: TECH173503
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe