NTLM Authentication

  • Device
    User Identification
    User Mapping
    Palo Alto Networks User-ID Agent Setup
    NTLM
You can use NT LAN Manager (NTLM) TechDocs_logo_cropped.png to authenticate only Windows users. When a client web request matches an Authentication policy rule in which the authentication enforcement object specifies a browser-challenge (see Policies > Authentication), an NTLM challenge transparently authenticates the client. The firewall then collects user mapping information from the NTLM domain.
You can enable NTLM authentication processing for only one virtual system per firewall, which you select in the
Location
drop-down at the top of the
User Mapping
page.
Optionally, you can use the firewall to perform NTLM authentication processing for other firewalls by adding it as a User-ID agent to those firewalls. For details, see Configure Access to User-ID Agents.
If you use the Windows-based User-ID agent, NTLM responses go directly to the domain controller where you installed the agent. For details, see the
NTLM Authentication
field in Device > User Identification > Captive Portal Settings.
Configure Authentication rules to use Kerberos single sign-on TechDocs_logo_cropped.png instead of NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and does not require the firewall to have an administrative account to join the domain. For details on configuring the authentication methods for Authentication rules, see Objects > Authentication.
The complete procedures to configure Captive Portal TechDocs_logo_cropped.png or Windows-based User-ID agents TechDocs_logo_cropped.png require additional tasks besides enabling NTLM.
To configure NTLM authentication processing, specify the settings described in the following table.
Field
Description
Enable NTLM authentication processing
Select this option to enable NTLM authentication processing.
NTLM Domain
Enter the NTLM domain name.
Admin User Name (
for the NTLM domain
)
Enter the administrator account that has access to the NTLM domain.
Do not include the domain in the
Admin User Name
field. Otherwise, the firewall will fail to join the domain.
Password/Confirm Password (
for the NTLM domain
)
Enter the password for the administrator account that has access to NTLM domain.

Related Documentation